1--TEST-- 2Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER 3--SKIPIF-- 4<?php include 'skipif.inc'; ?> 5--FILE-- 6<?php 7 function hdr_callback($ch, $data) { 8 // close the stream, causing the FILE structure to be free()'d 9 if($GLOBALS['f_file']) { 10 fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0; 11 12 // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc 13 $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238); 14 curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1)); 15 } 16 return strlen($data); 17 } 18 19 include 'server.inc'; 20 $host = curl_cli_server_start(); 21 $temp_file = dirname(__FILE__) . '/body.tmp'; 22 $url = "{$host}/get.php?test=getpost"; 23 $ch = curl_init(); 24 $f_file = fopen($temp_file, "w") or die("failed to open file\n"); 25 curl_setopt($ch, CURLOPT_BUFFERSIZE, 10); 26 curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback"); 27 curl_setopt($ch, CURLOPT_FILE, $f_file); 28 curl_setopt($ch, CURLOPT_URL, $url); 29 curl_exec($ch); 30 curl_close($ch); 31?> 32===DONE=== 33--CLEAN-- 34<?php 35unlink(dirname(__FILE__) . '/body.tmp'); 36?> 37--EXPECTF-- 38Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d 39array(1) { 40 ["test"]=> 41 string(7) "getpost" 42} 43array(0) { 44} 45===DONE=== 46
