1--TEST--
2GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row bit buffer over-read)
3--EXTENSIONS--
4mysqli
5--FILE--
6<?php
7require_once 'fake_server.inc';
8
9$servername = "127.0.0.1";
10$username = "root";
11$password = "";
12
13$process = run_fake_server_in_background('stmt_response_row_over_read_bit');
14$process->wait();
15
16$conn = new mysqli($servername, $username, $password, "", $process->getPort());
17
18echo "[*] Preparing statement on the fake server...\n";
19$stmt = $conn->prepare("SELECT bitval, timval FROM data");
20
21$stmt->execute();
22$result = $stmt->get_result();
23
24// Fetch and display the results
25if ($result->num_rows > 0) {
26    while ($row = $result->fetch_assoc()) {
27        var_dump($row["bitval"]);
28    }
29}
30$stmt->close();
31$conn->close();
32
33$process->terminate(true);
34
35print "done!";
36?>
37--EXPECTF--
38[*] Server started on 127.0.0.1:%d
39[*] Connection established
40[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
41[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
42[*] Sending - Server OK: 0700000200000002000000
43[*] Preparing statement on the fake server...
44[*] Received: 200000001653454c4543542062697476616c2c2074696d76616c2046524f4d2064617461
45[*] Sending - Stmt prepare data bitval: 0c0000010001000000020000000000003200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610662697476616c0662697476616c0c3f004000000010211000000005000004fe00000200
46[*] Received: 0a00000017010000000001000000
47[*] Sending - Malicious Stmt Response for data bitval [Extract heap through buffer over-read]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610662697476616c0662697476616c0c3f004000000010211000000005000004fe00002200100000050000067465737408080808080808080805000006fe00002200
48
49Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after the end of packet in %s on line %d
50[*] Received: 0500000019010000000100000001
51[*] Server finished
52done!
53