From b1211c1e4ad65c7353f3a4d5864184e81c500613 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 16 Aug 2024 21:01:56 +0200
Subject: [PATCH] Fix GH-15432: Heap corruption when querying a vector

Since the mysqlnd result set is arena allocated, we must not simply
free it, but rather call the appropriate `free_result` method.

Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>
---
 NEWS                          |  4 ++++
 ext/mysqli/tests/gh15432.phpt | 24 ++++++++++++++++++++++++
 ext/mysqlnd/mysqlnd_result.c  |  2 +-
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 ext/mysqli/tests/gh15432.phpt

diff --git a/NEWS b/NEWS
index d845ea39635..c36d0465bea 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.2.24
 
+- MySQLnd:
+  . Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
+    Kamil Tekiela)
+
 29 Aug 2024, PHP 8.2.23
 
 - Core:
diff --git a/ext/mysqli/tests/gh15432.phpt b/ext/mysqli/tests/gh15432.phpt
new file mode 100644
index 00000000000..50372a1bbc5
--- /dev/null
+++ b/ext/mysqli/tests/gh15432.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug GH-15432 (Heap corruption when querying a vector)
+--EXTENSIONS--
+mysqli
+--SKIPIF--
+<?php
+require 'connect.inc';
+$link = @my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+if ($link === false) {
+    die(sprintf("skip Can't connect to MySQL Server - [%d] %s", mysqli_connect_errno(), mysqli_connect_error()));
+}
+if ($link->server_version < 90000 || $link->server_version >= 10_00_00) {
+    die("skip MySQL 9.0.0+ needed");
+}
+?>
+--FILE--
+<?php
+require 'connect.inc';
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+var_dump($link->query('SELECT STRING_TO_VECTOR("[1.05, -17.8, 32]")'));
+?>
+--EXPECTF--
+Warning: mysqli::query(): Unknown type 242 sent by the server. Please send a report to the developers in %s on line %d
+bool(false)
diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
index cf091a802bb..43983279e77 100644
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@@ -302,7 +302,7 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s)
 				if (FAIL == (ret = result->m.read_result_metadata(result, conn))) {
 					/* For PS, we leave them in Prepared state */
 					if (!stmt && conn->current_result) {
-						mnd_efree(conn->current_result);
+						conn->current_result->m.free_result(conn->current_result, TRUE);
 						conn->current_result = NULL;
 					}
 					DBG_ERR("Error occurred while reading metadata");