summaryrefslogtreecommitdiff
path: root/ext/curl/tests/bug69316.phpt
blob: 16a655eef851e16db1b681b8447aa222038b8643 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

--TEST--
Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
--SKIPIF--
<?php include 'skipif.inc'; ?>
--FILE--
<?php
  function hdr_callback($ch, $data) {
      // close the stream, causing the FILE structure to be free()'d
      if($GLOBALS['f_file']) {
          fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;

          // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
          $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238);
          curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1));
      }
      return strlen($data);
  }

  include 'server.inc';
  $host = curl_cli_server_start();
  $temp_file = dirname(__FILE__) . '/body.tmp';
  $url = "{$host}/get.php?test=getpost";
  $ch = curl_init();
  $f_file = fopen($temp_file, "w") or die("failed to open file\n");
  curl_setopt($ch, CURLOPT_BUFFERSIZE, 10);
  curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback");
  curl_setopt($ch, CURLOPT_FILE, $f_file);
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_exec($ch);
  curl_close($ch);
?>
===DONE===
--CLEAN--
<?php
unlink(dirname(__FILE__) . '/body.tmp');
?>
--EXPECTF--
Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
array(1) {
  ["test"]=>
  string(7) "getpost"
}
array(0) {
}
===DONE===
View Lorry Controller Status