Fix GH-19484 i: potential use after free when using persistent pgsql connections.

By setting the notice processor to a no-op when a persistent connection is cleaned for future use. Close GH-19485
2025-08-15 21:48:51 +02:00 · 2025-08-15 15:01:13 +09:00 · 2025-08-15 15:01:13 +09:00 · 987a3a5c8e
commit 987a3a5c8e
parent a3de2ce9ba
2 changed files with 13 additions and 0 deletions
--- a/4
+++ b/4
@ -10,6 +10,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
    (Jakub Zelenka)

+- PGSQL:
+  . Fixed bug GH-19485 (potential use after free when using persistent pgsql
+    connections). (Mark Karpeles)
+
 - Standard:
  . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)

--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@ -328,6 +328,10 @@ static void _close_pgsql_plink(zend_resource *rsrc)

 static void _php_pgsql_notice_handler(void *l, const char *message)
 {
+	if (l == NULL) {
+		/* This connection does not currently have a valid context, ignore this notice */
+		return;
+	}
 	if (PGG(ignore_notices)) {
 		return;
 	}
@ -360,6 +364,11 @@ static int _rollback_transactions(zval *el)

 	link = (PGconn *) rsrc->ptr;

+	/* unset notice processor if we initially did set it */
+	if (PQsetNoticeProcessor(link, NULL, NULL) == _php_pgsql_notice_handler) {
+		PQsetNoticeProcessor(link, _php_pgsql_notice_handler, NULL);
+	}
+
 	if (PQsetnonblocking(link, 0)) {
 		php_error_docref("ref.pgsql", E_NOTICE, "Cannot set connection to blocking mode");
 		return -1;