From 987a3a5c8ebcc37a87c808ecd308547aa307225a Mon Sep 17 00:00:00 2001
From: Mark Karpeles <magicaltux@gmail.com>
Date: Fri, 15 Aug 2025 15:01:13 +0900
Subject: [PATCH] Fix GH-19484 i: potential use after free when using
 persistent pgsql connections.

By setting the notice processor to a no-op when a persistent connection is cleaned for future use.

Close GH-19485
---
 NEWS              | 4 ++++
 ext/pgsql/pgsql.c | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/NEWS b/NEWS
index d23b71bb54a..17424b38a72 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
     (Jakub Zelenka)
 
+- PGSQL:
+  . Fixed bug GH-19485 (potential use after free when using persistent pgsql
+    connections). (Mark Karpeles)
+
 - Standard:
   . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)
 
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 11ce814cbec..1d7fee60170 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -328,6 +328,10 @@ static void _close_pgsql_plink(zend_resource *rsrc)
 
 static void _php_pgsql_notice_handler(void *l, const char *message)
 {
+	if (l == NULL) {
+		/* This connection does not currently have a valid context, ignore this notice */
+		return;
+	}
 	if (PGG(ignore_notices)) {
 		return;
 	}
@@ -360,6 +364,11 @@ static int _rollback_transactions(zval *el)
 
 	link = (PGconn *) rsrc->ptr;
 
+	/* unset notice processor if we initially did set it */
+	if (PQsetNoticeProcessor(link, NULL, NULL) == _php_pgsql_notice_handler) {
+		PQsetNoticeProcessor(link, _php_pgsql_notice_handler, NULL);
+	}
+
 	if (PQsetnonblocking(link, 0)) {
 		php_error_docref("ref.pgsql", E_NOTICE, "Cannot set connection to blocking mode");
 		return -1;