Fix memory leak when destroying PDORow

nielsdos · nielsdos · commit 2dde07af55bb · 2025-03-20T23:13:42.000+01:00
This should call zend_object_std_dtor() to clean the property table etc. This also has a semantic influence because previously weak refs were not notified for example. This fixes the final issue in GH-18114 (the crash was master-only and fixed already). Closes GH-18114. Closes GH-18123.
diff --git a/NEWS b/NEWS
@@ -37,6 +37,9 @@ PHP                                                                        NEWS
 - Opcache:
   . Fixed bug GH-18112 (NULL access with preloading and INI option). (nielsdos)
 
+- PDO:
+  . Fix memory leak when destroying PDORow. (nielsdos)
+
 - SPL:
   . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in
     ArrayObject). (nielsdos)
diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
@@ -2506,6 +2506,7 @@ void pdo_row_free_storage(zend_object *std)
 		ZVAL_UNDEF(&row->stmt->lazy_object_ref);
 		OBJ_RELEASE(&row->stmt->std);
 	}
+	zend_object_std_dtor(std);
 }
 
 zend_object *pdo_row_new(zend_class_entry *ce)
diff --git a/ext/pdo_sqlite/tests/gh18114.phpt b/ext/pdo_sqlite/tests/gh18114.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-18114 (pdo lazy object crash)
+--EXTENSIONS--
+pdo_sqlite
+--FILE--
+<?php
+$db = new PDO('sqlite::memory:');
+$x = $db->query('select 1 as queryString');
+$data = $x->fetch(PDO::FETCH_LAZY);
+foreach ($data as $entry) {
+    var_dump($entry);
+}
+var_dump((array) $data);
+echo "Done\n";
+?>
+--EXPECT--
+array(0) {
+}
+Done

Original file line number	Diff line number	Diff line change
`@@ -2506,6 +2506,7 @@ void pdo_row_free_storage(zend_object *std)`
`2506`	`2506`	`ZVAL_UNDEF(&row->stmt->lazy_object_ref);`
`2507`	`2507`	`OBJ_RELEASE(&row->stmt->std);`
`2508`	`2508`	`}`
	`2509`	`+ zend_object_std_dtor(std);`
`2509`	`2510`	`}`
`2510`	`2511`
`2511`	`2512`	`zend_object pdo_row_new(zend_class_entry ce)`