From 068c8db2761caeeb4122ed6775fd40c00c088c8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Kocsis?= <kocsismate@woohoolabs.com>
Date: Tue, 4 May 2021 13:35:32 +0200
Subject: [PATCH] Fix the signature of PDOStatement::fetchObject()

The ?array $ctorArgs = null parameter is changed to array $constructorArgs = [], and an additional memory leak revealed by the new test case is fixed.

Closes GH-6937

Co-Authored-By: Nikita Popov <nikita.ppv@gmail.com>
---
 ext/pdo/pdo_stmt.c                            | 14 ++-
 ext/pdo/pdo_stmt.stub.php                     |  2 +-
 ext/pdo/pdo_stmt_arginfo.h                    |  4 +-
 .../pdo_mysql_stmt_fetchobject_ctor_args.phpt | 99 +++++++++++++++++++
 4 files changed, 108 insertions(+), 11 deletions(-)
 create mode 100644 ext/pdo_mysql/tests/pdo_mysql_stmt_fetchobject_ctor_args.phpt

diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
index 80b50605b92..ad7df5c241e 100644
--- a/ext/pdo/pdo_stmt.c
+++ b/ext/pdo/pdo_stmt.c
@@ -914,8 +914,8 @@ static bool do_fetch(pdo_stmt_t *stmt, zval *return_value, enum pdo_fetch_type h
 					return 0;
 				}
 				if (!stmt->fetch.cls.fci.size) {
-					if (!do_fetch_class_prepare(stmt))
-					{
+					if (!do_fetch_class_prepare(stmt)) {
+						zval_ptr_dtor(return_value);
 						return 0;
 					}
 				}
@@ -1266,12 +1266,10 @@ PHP_METHOD(PDOStatement, fetchObject)
 
 	do_fetch_opt_finish(stmt, 0);
 
-	if (ctor_args) {
-		if (Z_TYPE_P(ctor_args) == IS_ARRAY && zend_hash_num_elements(Z_ARRVAL_P(ctor_args))) {
-			ZVAL_ARR(&stmt->fetch.cls.ctor_args, zend_array_dup(Z_ARRVAL_P(ctor_args)));
-		} else {
-			ZVAL_UNDEF(&stmt->fetch.cls.ctor_args);
-		}
+	if (ctor_args && zend_hash_num_elements(Z_ARRVAL_P(ctor_args))) {
+		ZVAL_ARR(&stmt->fetch.cls.ctor_args, zend_array_dup(Z_ARRVAL_P(ctor_args)));
+	} else {
+		ZVAL_UNDEF(&stmt->fetch.cls.ctor_args);
 	}
 	if (ce) {
 		stmt->fetch.cls.ce = ce;
diff --git a/ext/pdo/pdo_stmt.stub.php b/ext/pdo/pdo_stmt.stub.php
index e2c25b6a7a0..c80a3f46096 100644
--- a/ext/pdo/pdo_stmt.stub.php
+++ b/ext/pdo/pdo_stmt.stub.php
@@ -41,7 +41,7 @@ class PDOStatement implements IteratorAggregate
     public function fetchColumn(int $column = 0) {}
 
     /** @return object|false */
-    public function fetchObject(?string $class = "stdClass", ?array $ctorArgs = null) {}
+    public function fetchObject(?string $class = "stdClass", array $constructorArgs = []) {}
 
     /** @return mixed */
     public function getAttribute(int $name) {}
diff --git a/ext/pdo/pdo_stmt_arginfo.h b/ext/pdo/pdo_stmt_arginfo.h
index 7748ac54d62..b7c052237e5 100644
--- a/ext/pdo/pdo_stmt_arginfo.h
+++ b/ext/pdo/pdo_stmt_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 80860ee99befe1258900120f0c226688f6606c6f */
+ * Stub hash: 2717622c27bdc6aac5ec83609c11dec6cbc9f5d7 */
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_class_PDOStatement_bindColumn, 0, 0, 2)
 	ZEND_ARG_TYPE_MASK(0, column, MAY_BE_STRING|MAY_BE_LONG, NULL)
@@ -55,7 +55,7 @@ ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_class_PDOStatement_fetchObject, 0, 0, 0)
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, class, IS_STRING, 1, "\"stdClass\"")
-	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, ctorArgs, IS_ARRAY, 1, "null")
+	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, constructorArgs, IS_ARRAY, 0, "[]")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_class_PDOStatement_getAttribute, 0, 0, 1)
diff --git a/ext/pdo_mysql/tests/pdo_mysql_stmt_fetchobject_ctor_args.phpt b/ext/pdo_mysql/tests/pdo_mysql_stmt_fetchobject_ctor_args.phpt
new file mode 100644
index 00000000000..2947ad4e32b
--- /dev/null
+++ b/ext/pdo_mysql/tests/pdo_mysql_stmt_fetchobject_ctor_args.phpt
@@ -0,0 +1,99 @@
+--TEST--
+MySQL PDO: PDOStatement->fetchObject() with $constructorArgs
+--SKIPIF--
+<?php
+require_once(__DIR__ . DIRECTORY_SEPARATOR . 'skipif.inc');
+require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
+MySQLPDOTest::skip();
+$db = MySQLPDOTest::factory();
+
+try {
+    $query = "SELECT '', NULL, \"\" FROM DUAL";
+    $stmt = $db->prepare($query);
+    $ok = @$stmt->execute();
+} catch (PDOException $e) {
+    die("skip: Test cannot be run with SQL mode ANSI");
+}
+if (!$ok)
+    die("skip: Test cannot be run with SQL mode ANSI");
+?>
+--FILE--
+<?php
+require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
+/** @var PDO $db */
+$db = MySQLPDOTest::factory();
+MySQLPDOTest::createTestTable($db);
+
+$query = "SELECT id FROM test ORDER BY id ASC LIMIT 1";
+$stmt = $db->prepare($query);
+
+class Foo {
+    public int $a;
+    public int $id;
+
+    public function __construct($a) {
+        $this->a = $a;
+    }
+}
+
+class Bar {
+    public int $id;
+}
+
+$stmt->execute();
+try {
+    $obj = $stmt->fetchObject(Foo::class);
+} catch (ArgumentCountError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+$stmt->execute();
+try {
+    $obj = $stmt->fetchObject(Foo::class, []);
+} catch (ArgumentCountError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+$stmt->execute();
+$obj = $stmt->fetchObject(Foo::class, ["a" => 123]);
+var_dump($obj);
+
+$stmt->execute();
+$obj = $stmt->fetchObject(Bar::class);
+var_dump($obj);
+
+$stmt->execute();
+$obj = $stmt->fetchObject(Bar::class, []);
+var_dump($obj);
+
+try {
+    $stmt->execute();
+    $obj = $stmt->fetchObject(Bar::class, ["a" => 123]);
+} catch (Error $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+?>
+--CLEAN--
+<?php
+require __DIR__ . '/mysql_pdo_test.inc';
+MySQLPDOTest::dropTestTable();
+?>
+--EXPECTF--
+Too few arguments to function Foo::__construct(), 0 passed and exactly 1 expected
+Too few arguments to function Foo::__construct(), 0 passed and exactly 1 expected
+object(Foo)#%d (2) {
+  ["a"]=>
+  int(123)
+  ["id"]=>
+  int(1)
+}
+object(Bar)#%d (1) {
+  ["id"]=>
+  int(1)
+}
+object(Bar)#%d (1) {
+  ["id"]=>
+  int(1)
+}
+User-supplied statement does not accept constructor arguments