Ignore CURSOR_EXISTS flag if no cursor requested

nikic · nikic · commit f740cd1fbf17 · 2020-12-17T16:18:58.000+01:00
diff --git a/ext/mysqli/tests/bug77935.phpt b/ext/mysqli/tests/bug77935.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Bug #77935: Crash in mysqlnd_fetch_stmt_row_cursor when calling an SP with a cursor
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+require_once('skipifconnectfailure.inc');
+?>
+--FILE--
+<?php
+require_once(__DIR__ . '/connect.inc');
+
+mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
+$db = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$db->query('DROP PROCEDURE IF EXISTS testSp');
+$db->query(<<<'SQL'
+CREATE
+    PROCEDURE `testSp`()
+	BEGIN
+		DECLARE `cur` CURSOR FOR SELECT 1;
+		OPEN `cur`;
+		CLOSE `cur`;
+		SELECT 1;
+	END;
+SQL);
+
+$stmt = $db->prepare("CALL testSp()");
+$stmt->execute();
+$result = $stmt->get_result();
+while ($row = $result->fetch_assoc()) {
+    var_dump($row);
+}
+
+?>
+--EXPECT--
+array(1) {
+  [1]=>
+  int(1)
+}
diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c
@@ -576,28 +576,30 @@ mysqlnd_stmt_execute_parse_response(MYSQLND_STMT * const s, enum_mysqlnd_parse_e
 			DBG_INF_FMT("server_status=%u cursor=%u", UPSERT_STATUS_GET_SERVER_STATUS(stmt->upsert_status),
 						UPSERT_STATUS_GET_SERVER_STATUS(stmt->upsert_status) & SERVER_STATUS_CURSOR_EXISTS);
 
-			if (UPSERT_STATUS_GET_SERVER_STATUS(stmt->upsert_status) & SERVER_STATUS_CURSOR_EXISTS) {
-				DBG_INF("cursor exists");
-				stmt->cursor_exists = TRUE;
-				SET_CONNECTION_STATE(&conn->state, CONN_READY);
-				/* Only cursor read */
-				stmt->default_rset_handler = s->m->use_result;
-				DBG_INF("use_result");
-			} else if (stmt->flags & CURSOR_TYPE_READ_ONLY) {
-				DBG_INF("asked for cursor but got none");
-				/*
-				  We have asked for CURSOR but got no cursor, because the condition
-				  above is not fulfilled. Then...
-
-				  This is a single-row result set, a result set with no rows, EXPLAIN,
-				  SHOW VARIABLES, or some other command which either a) bypasses the
-				  cursors framework in the server and writes rows directly to the
-				  network or b) is more efficient if all (few) result set rows are
-				  precached on client and server's resources are freed.
-				*/
-				/* preferred is buffered read */
-				stmt->default_rset_handler = s->m->store_result;
-				DBG_INF("store_result");
+			if (stmt->flags & CURSOR_TYPE_READ_ONLY) {
+				if (UPSERT_STATUS_GET_SERVER_STATUS(stmt->upsert_status) & SERVER_STATUS_CURSOR_EXISTS) {
+					DBG_INF("cursor exists");
+					stmt->cursor_exists = TRUE;
+					SET_CONNECTION_STATE(&conn->state, CONN_READY);
+					/* Only cursor read */
+					stmt->default_rset_handler = s->m->use_result;
+					DBG_INF("use_result");
+				} else {
+					DBG_INF("asked for cursor but got none");
+					/*
+					  We have asked for CURSOR but got no cursor, because the condition
+					  above is not fulfilled. Then...
+
+					  This is a single-row result set, a result set with no rows, EXPLAIN,
+					  SHOW VARIABLES, or some other command which either a) bypasses the
+					  cursors framework in the server and writes rows directly to the
+					  network or b) is more efficient if all (few) result set rows are
+					  precached on client and server's resources are freed.
+					*/
+					/* preferred is buffered read */
+					stmt->default_rset_handler = s->m->store_result;
+					DBG_INF("store_result");
+				}
 			} else {
 				DBG_INF("no cursor");
 				/* preferred is unbuffered read */
