MFH: fix #38173 (Freeing nested cursors causes OCI8 to segfault)

NEWS

@@ -40,6 +40,7 @@ PHP                                                                        NEWS
   execution). (Dmitry)
 - Fixed bug #38194 (ReflectionClass::isSubclassOf() returns TRUE for the class
   itself). (Ilia)
+- Fixed bug #38173 (Freeing nested cursors causes OCI8 to segfault). (Tony)
 - Fixed bug #38132 (ReflectionClass::getStaticProperties() retains \0 in key
   names). (Ilia)
 - Fixed bug #38047 ("file" and "line" sometimes not set in backtrace from

ext/oci8/oci8_interface.c

@@ -1483,7 +1483,10 @@ PHP_FUNCTION(oci_free_statement)
 	}
 
 	PHP_OCI_ZVAL_TO_STATEMENT(z_statement, statement);
-	zend_list_delete(statement->id);
+	if (!statement->nested) {
+		/* nested cursors cannot be freed, they are allocated once and used during the fetch */
+		zend_list_delete(statement->id);
+	}
 	
 	RETURN_TRUE;
 }

ext/oci8/oci8_statement.c

@@ -94,6 +94,7 @@ php_oci_statement *php_oci_statement_create (php_oci_connection *connection, cha
 
 	statement->connection = connection;
 	statement->has_data = 0;
+	statement->nested = 0;
 
 	if (OCI_G(default_prefetch) > 0) {
 		php_oci_statement_set_prefetch(statement, OCI_G(default_prefetch) TSRMLS_CC);
@@ -443,6 +444,7 @@ int php_oci_statement_execute(php_oci_statement *statement, ub4 mode TSRMLS_DC)
 				case SQLT_RSET:
 					outcol->statement = php_oci_statement_create(statement->connection, NULL, 0, 0 TSRMLS_CC);
 					outcol->stmtid = outcol->statement->id;
+					outcol->statement->nested = 1;
 
 					define_type = SQLT_RSET;
 					outcol->is_cursor = 1;

ext/oci8/php_oci8_int.h

@@ -166,6 +166,7 @@ typedef struct { /* php_oci_statement {{{ */
 	int ncolumns;					/* number of columns in the result */
 	unsigned executed:1;			/* statement executed flag */
 	unsigned has_data:1;			/* statement has more data flag */
+	unsigned nested:1;			/* statement handle is valid */
 	ub2 stmttype;					/* statement type */
 } php_oci_statement; /* }}} */
 

ext/oci8/tests/bug38173.phpt

@@ -0,0 +1,79 @@
+--TEST--
+Bug #38173 (Freeing nested cursors causes OCI8 to segfault)
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die("skip no oci8 extension"); ?>
+--FILE--
+<?php
+
+require dirname(__FILE__)."/connect.inc";
+
+$create_1 = "CREATE TABLE t1 (id INTEGER)";
+$create_2 = "CREATE TABLE t2 (id INTEGER)";
+$drop_1 = "DROP TABLE t1";
+$drop_2 = "DROP TABLE t2";
+
+$s1 = oci_parse($c, $drop_1);
+$s2 = oci_parse($c, $drop_2);
+@oci_execute($s1);
+@oci_execute($s2);
+
+$s1 = oci_parse($c, $create_1);
+$s2 = oci_parse($c, $create_2);
+oci_execute($s1);
+oci_execute($s2);
+
+for($i=0; $i < 5; $i++) {
+	$insert = "INSERT INTO t1 VALUES(".$i.")";
+	$s = oci_parse($c, $insert);
+	oci_execute($s);
+}
+
+for($i=0; $i < 5; $i++) {
+	$insert = "INSERT INTO t2 VALUES(".$i.")";
+	$s = oci_parse($c, $insert);
+	oci_execute($s);
+}
+
+$query ="
+SELECT
+  t1.*,
+  CURSOR( SELECT * FROM t2 ) as cursor
+FROM
+  t1
+";
+
+$sth = oci_parse($c, $query);
+oci_execute($sth);
+
+// dies on oci_free_statement on 2nd pass through loop
+while ( $row = oci_fetch_assoc($sth) ) {
+  print "Got row!\n";
+  var_dump(oci_execute($row['CURSOR']));
+  var_dump(oci_free_statement($row['CURSOR']));
+}
+
+$s1 = oci_parse($c, $drop_1);
+$s2 = oci_parse($c, $drop_2);
+@oci_execute($s1);
+@oci_execute($s2);
+
+echo "Done\n";
+
+?>
+--EXPECT--
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Done