Fix GH-17837: ::getColumnMeta() on unexecuted statement segfaults

cmb69 · cmb69 · commit 260e0e9bd371 · 2025-02-18T17:01:46.000+01:00
We cannot properly get the column meta data of a statement which has been prepared, but has not yet been executed. As such we bail out early, reporting failure. Closes GH-17850.
diff --git a/NEWS b/NEWS
@@ -40,6 +40,10 @@ PHP                                                                        NEWS
     JIT crash). (nielsdos)
   . Fixed bug GH-17577 (JIT packed type guard crash). (nielsdos, Dmitry)
 
+- PDO_SQLite:
+  . Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
+    (cmb)
+
 - Phar:
   . Fixed bug GH-17808: PharFileInfo refcount bug. (nielsdos)
 
diff --git a/ext/pdo_sqlite/sqlite_statement.c b/ext/pdo_sqlite/sqlite_statement.c
@@ -305,7 +305,7 @@ static int pdo_sqlite_stmt_col_meta(pdo_stmt_t *stmt, zend_long colno, zval *ret
 	const char *str;
 	zval flags;
 
-	if (!S->stmt) {
+	if (!S->stmt || !stmt->executed) {
 		return FAILURE;
 	}
 	if(colno >= sqlite3_column_count(S->stmt)) {
diff --git a/ext/pdo_sqlite/tests/gh17837.phpt b/ext/pdo_sqlite/tests/gh17837.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-17837 (::getColumnMeta() on unexecuted statement segfaults)
+--EXTENSIONS--
+pdo_sqlite
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$db = new PDO('sqlite::memory:');
+$stmt = $db->prepare('select :a, :b, ?');
+var_dump($stmt->getColumnMeta(0));
+?>
+--EXPECT--
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -305,7 +305,7 @@ static int pdo_sqlite_stmt_col_meta(pdo_stmt_t stmt, zend_long colno, zval ret`
`305`	`305`	`const char *str;`
`306`	`306`	`zval flags;`
`307`	`307`
`308`		`- if (!S->stmt) {`
	`308`	`+ if (!S->stmt \|\| !stmt->executed) {`
`309`	`309`	`return FAILURE;`
`310`	`310`	`}`
`311`	`311`	`if(colno >= sqlite3_column_count(S->stmt)) {`