1--TEST-- 2Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER 3--SKIPIF-- 4<?php 5if (!extension_loaded("curl")) exit("skip curl extension not loaded"); 6if (false === getenv('PHP_CURL_HTTP_REMOTE_SERVER')) exit("skip PHP_CURL_HTTP_REMOTE_SERVER env variable is not defined"); 7?> 8--FILE-- 9<?php 10 function hdr_callback($ch, $data) { 11 // close the stream, causing the FILE structure to be free()'d 12 if($GLOBALS['f_file']) { 13 fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0; 14 15 // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc 16 $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238); 17 curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1)); 18 } 19 return strlen($data); 20 } 21 $host = getenv('PHP_CURL_HTTP_REMOTE_SERVER'); 22 23 $temp_file = dirname(__FILE__) . '/body.tmp'; 24 $url = "{$host}/get.php?test=getpost"; 25 $ch = curl_init(); 26 $f_file = fopen($temp_file, "w") or die("failed to open file\n"); 27 curl_setopt($ch, CURLOPT_BUFFERSIZE, 10); 28 curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback"); 29 curl_setopt($ch, CURLOPT_FILE, $f_file); 30 curl_setopt($ch, CURLOPT_URL, $url); 31 curl_exec($ch); 32 curl_close($ch); 33?> 34===DONE=== 35--CLEAN-- 36<?php 37unlink(dirname(__FILE__) . '/body.tmp'); 38?> 39--EXPECTF-- 40Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d 41===DONE=== 42
