summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ext/mysqli/mysqli_api.c2
-rw-r--r--ext/mysqli/mysqli_nonapi.c2
-rw-r--r--ext/mysqli/mysqli_warning.c4
-rw-r--r--ext/mysqli/php_mysqli.h2
-rw-r--r--ext/mysqli/tests/bug34810.phpt38
5 files changed, 43 insertions, 5 deletions
diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
index 203bbbde7c..1b9a56482d 100644
--- a/ext/mysqli/mysqli_api.c
+++ b/ext/mysqli/mysqli_api.c
@@ -1033,7 +1033,7 @@ PHP_FUNCTION(mysqli_init)
mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
mysqli_resource->ptr = (void *)mysql;
- if (!getThis()) {
+ if (!getThis() || !instanceof_function(Z_OBJCE_P(getThis()), mysqli_link_class_entry TSRMLS_CC)) {
MYSQLI_RETURN_RESOURCE(mysqli_resource, mysqli_link_class_entry);
} else {
((mysqli_object *) zend_object_store_get_object(getThis() TSRMLS_CC))->ptr = mysqli_resource;
diff --git a/ext/mysqli/mysqli_nonapi.c b/ext/mysqli/mysqli_nonapi.c
index c5ff87f33d..bef10913a7 100644
--- a/ext/mysqli/mysqli_nonapi.c
+++ b/ext/mysqli/mysqli_nonapi.c
@@ -112,7 +112,7 @@ PHP_FUNCTION(mysqli_connect)
mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
mysqli_resource->ptr = (void *)mysql;
- if (!object) {
+ if (!object || !instanceof_function(Z_OBJCE_P(object), mysqli_link_class_entry TSRMLS_CC)) {
MYSQLI_RETURN_RESOURCE(mysqli_resource, mysqli_link_class_entry);
} else {
((mysqli_object *) zend_object_store_get_object(object TSRMLS_CC))->ptr = mysqli_resource;
diff --git a/ext/mysqli/mysqli_warning.c b/ext/mysqli/mysqli_warning.c
index 3029d827cf..3ea578f6c7 100644
--- a/ext/mysqli/mysqli_warning.c
+++ b/ext/mysqli/mysqli_warning.c
@@ -201,8 +201,8 @@ PHP_METHOD(mysqli_warning, __construct)
mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
mysqli_resource->ptr = mysqli_resource->info = (void *)w;
- if (!getThis()) {
- MYSQLI_RETURN_RESOURCE(mysqli_resource, mysqli_link_class_entry);
+ if (!getThis() || !instanceof_function(Z_OBJCE_P(getThis()), mysqli_warning_class_entry TSRMLS_CC)) {
+ MYSQLI_RETURN_RESOURCE(mysqli_resource, mysqli_warning_class_entry);
} else {
((mysqli_object *) zend_object_store_get_object(getThis() TSRMLS_CC))->ptr = mysqli_resource;
((mysqli_object *) zend_object_store_get_object(getThis() TSRMLS_CC))->valid = 1;
diff --git a/ext/mysqli/php_mysqli.h b/ext/mysqli/php_mysqli.h
index 4298ebf851..5999d12551 100644
--- a/ext/mysqli/php_mysqli.h
+++ b/ext/mysqli/php_mysqli.h
@@ -191,7 +191,7 @@ PHP_MYSQLI_EXPORT(zend_object_value) mysqli_objects_new(zend_class_entry * TSRML
#define MYSQLI_REGISTER_RESOURCE(__ptr, __ce) \
{\
zval *object = getThis();\
- if (!object) {\
+ if (!object || !instanceof_function(Z_OBJCE_P(object), mysqli_link_class_entry TSRMLS_CC)) {\
object = return_value;\
Z_TYPE_P(object) = IS_OBJECT;\
(object)->value.obj = mysqli_objects_new(__ce TSRMLS_CC);\
diff --git a/ext/mysqli/tests/bug34810.phpt b/ext/mysqli/tests/bug34810.phpt
new file mode 100644
index 0000000000..12d6ce2e9a
--- /dev/null
+++ b/ext/mysqli/tests/bug34810.phpt
@@ -0,0 +1,38 @@
+--TEST--
+bug #34810 (mysqli::init() and others use wrong $this pointer without checks)
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+
+class DbConnection {
+ public function connect() {
+ include "connect.inc";
+
+ $link = mysqli::connect($host, $user, $passwd);
+ var_dump($link);
+
+ $link = mysqli::init();
+ var_dump($link);
+
+ $mysql = new mysqli($host, $user, $passwd, "test");
+ $mysql->query("DROP TABLE IF EXISTS test_warnings");
+ $mysql->query("CREATE TABLE test_warnings (a int not null)");
+ $mysql->query("INSERT INTO test_warnings VALUES (1),(2),(NULL)");
+ var_dump(mysqli_warning::__construct($mysql));
+ }
+}
+
+$db = new DbConnection();
+$db->connect();
+
+echo "Done\n";
+?>
+--EXPECTF--
+object(mysqli)#%d (0) {
+}
+object(mysqli)#%d (0) {
+}
+object(mysqli_warning)#%d (0) {
+}
+Done
View Lorry Controller Status