From 1752393bb4013ca94d45da5a4d43997a73ae9750 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 13 Jan 2020 11:47:40 +0100
Subject: [PATCH] Fix #79084: mysqlnd may fetch wrong column indexes with
 MYSQLI_BOTH

Column names can be numeric strings, so we have to make sure to insert
the column values with the appropriate numeric keys, instead of adding
them.
---
 NEWS                                     |  4 ++
 ext/mysqli/tests/bug79084.phpt           | 79 ++++++++++++++++++++++++
 ext/mysqli/tests/bug79084_collision.phpt | 61 ++++++++++++++++++
 ext/mysqlnd/mysqlnd_result.c             | 15 +++--
 4 files changed, 153 insertions(+), 6 deletions(-)
 create mode 100644 ext/mysqli/tests/bug79084.phpt
 create mode 100644 ext/mysqli/tests/bug79084_collision.phpt

diff --git a/NEWS b/NEWS
index b91211ce274..8f20e992111 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
     (cmb)
 
+- MySQLnd:
+  . Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
+    (cmb)
+
 23 Jan 2020, PHP 7.3.14
 
 - Core
diff --git a/ext/mysqli/tests/bug79084.phpt b/ext/mysqli/tests/bug79084.phpt
new file mode 100644
index 00000000000..b760c4abb76
--- /dev/null
+++ b/ext/mysqli/tests/bug79084.phpt
@@ -0,0 +1,79 @@
+--TEST--
+Bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+require_once('skipifconnectfailure.inc');
+?>
+--FILE--
+<?php
+require_once('connect.inc');
+$sql = "SELECT 0 as `2007`, 0 as `2008`, 0 as `2020`";
+
+// unbuffered
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$link->real_query($sql);
+$res = $link->use_result();
+$row = $res->fetch_array();
+var_dump($row);
+$link->close();
+
+// buffered
+ini_set('mysqlnd.fetch_data_copy', false);
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$res = $link->query($sql);
+$row = $res->fetch_array();
+var_dump($row);
+$link->close();
+
+// buffered copies
+ini_set('mysqlnd.fetch_data_copy', true);
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$res = $link->query($sql);
+$row = $res->fetch_array();
+var_dump($row);
+$link->close();
+?>
+--EXPECT--
+array(6) {
+  [0]=>
+  string(1) "0"
+  [2007]=>
+  string(1) "0"
+  [1]=>
+  string(1) "0"
+  [2008]=>
+  string(1) "0"
+  [2]=>
+  string(1) "0"
+  [2020]=>
+  string(1) "0"
+}
+array(6) {
+  [0]=>
+  string(1) "0"
+  [2007]=>
+  string(1) "0"
+  [1]=>
+  string(1) "0"
+  [2008]=>
+  string(1) "0"
+  [2]=>
+  string(1) "0"
+  [2020]=>
+  string(1) "0"
+}
+array(6) {
+  [0]=>
+  string(1) "0"
+  [2007]=>
+  string(1) "0"
+  [1]=>
+  string(1) "0"
+  [2008]=>
+  string(1) "0"
+  [2]=>
+  string(1) "0"
+  [2020]=>
+  string(1) "0"
+}
diff --git a/ext/mysqli/tests/bug79084_collision.phpt b/ext/mysqli/tests/bug79084_collision.phpt
new file mode 100644
index 00000000000..9f0c72962d5
--- /dev/null
+++ b/ext/mysqli/tests/bug79084_collision.phpt
@@ -0,0 +1,61 @@
+--TEST--
+Bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH) - collision
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+require_once('skipifconnectfailure.inc');
+?>
+--FILE--
+<?php
+require_once('connect.inc');
+$sql = "SELECT 11111 as `1`, 22222 as `2`";
+
+// unbuffered
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$link->real_query($sql);
+$res = $link->use_result();
+$row = $res->fetch_array();
+var_dump($row);
+$link->close();
+
+// buffered
+ini_set('mysqlnd.fetch_data_copy', false);
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$res = $link->query($sql);
+$row = $res->fetch_array();
+var_dump($row);
+$link->close();
+
+// buffered copies
+ini_set('mysqlnd.fetch_data_copy', true);
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+$res = $link->query($sql);
+$row = $res->fetch_array();
+var_dump($row);
+$link->close();
+?>
+--EXPECT--
+array(3) {
+  [0]=>
+  string(5) "11111"
+  [1]=>
+  string(5) "11111"
+  [2]=>
+  string(5) "22222"
+}
+array(3) {
+  [0]=>
+  string(5) "11111"
+  [1]=>
+  string(5) "11111"
+  [2]=>
+  string(5) "22222"
+}
+array(3) {
+  [0]=>
+  string(5) "11111"
+  [1]=>
+  string(5) "11111"
+  [2]=>
+  string(5) "22222"
+}
diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
index 783fd2cec10..10b4d099054 100644
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@@ -842,8 +842,9 @@ MYSQLND_METHOD(mysqlnd_result_unbuffered, fetch_row)(MYSQLND_RES * result, void
 					const size_t len = (Z_TYPE_P(data) == IS_STRING)? Z_STRLEN_P(data) : 0;
 
 					if (flags & MYSQLND_FETCH_NUM) {
-						Z_TRY_ADDREF_P(data);
-						zend_hash_next_index_insert(row_ht, data);
+						if (zend_hash_index_add(row_ht, i, data) != NULL) {
+							Z_TRY_ADDREF_P(data);
+						}
 					}
 					if (flags & MYSQLND_FETCH_ASSOC) {
 						/* zend_hash_quick_update needs length + trailing zero */
@@ -1099,8 +1100,9 @@ MYSQLND_METHOD(mysqlnd_result_buffered_zval, fetch_row)(MYSQLND_RES * result, vo
 			set->lengths[i] = (Z_TYPE_P(data) == IS_STRING)? Z_STRLEN_P(data) : 0;
 
 			if (flags & MYSQLND_FETCH_NUM) {
-				Z_TRY_ADDREF_P(data);
-				zend_hash_next_index_insert(Z_ARRVAL_P(row), data);
+				if (zend_hash_index_add(Z_ARRVAL_P(row), i, data) != NULL) {
+					Z_TRY_ADDREF_P(data);
+				}
 			}
 			if (flags & MYSQLND_FETCH_ASSOC) {
 				/* zend_hash_quick_update needs length + trailing zero */
@@ -1195,8 +1197,9 @@ MYSQLND_METHOD(mysqlnd_result_buffered_c, fetch_row)(MYSQLND_RES * result, void
 			set->lengths[i] = (Z_TYPE_P(data) == IS_STRING)? Z_STRLEN_P(data) : 0;
 
 			if (flags & MYSQLND_FETCH_NUM) {
-				Z_TRY_ADDREF_P(data);
-				zend_hash_next_index_insert(Z_ARRVAL_P(row), data);
+				if (zend_hash_index_add(Z_ARRVAL_P(row), i, data)) {
+					Z_TRY_ADDREF_P(data);
+				}
 			}
 			if (flags & MYSQLND_FETCH_ASSOC) {
 				/* zend_hash_quick_update needs length + trailing zero */