xref: /PHP-7.3/ext/curl/tests/bug69316.phpt (revision be34c82b)
1--TEST--
2Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
3--SKIPIF--
4<?php include 'skipif.inc'; ?>
5--FILE--
6<?php
7  function hdr_callback($ch, $data) {
8      // close the stream, causing the FILE structure to be free()'d
9      if($GLOBALS['f_file']) {
10          fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;
11
12          // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
13          $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238);
14          curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1));
15      }
16      return strlen($data);
17  }
18
19  include 'server.inc';
20  $host = curl_cli_server_start();
21  $temp_file = dirname(__FILE__) . '/body.tmp';
22  $url = "{$host}/get.php?test=getpost";
23  $ch = curl_init();
24  $f_file = fopen($temp_file, "w") or die("failed to open file\n");
25  curl_setopt($ch, CURLOPT_BUFFERSIZE, 10);
26  curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback");
27  curl_setopt($ch, CURLOPT_FILE, $f_file);
28  curl_setopt($ch, CURLOPT_URL, $url);
29  curl_exec($ch);
30  curl_close($ch);
31?>
32===DONE===
33--CLEAN--
34<?php
35unlink(dirname(__FILE__) . '/body.tmp');
36?>
37--EXPECTF--
38Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
39array(1) {
40  ["test"]=>
41  string(7) "getpost"
42}
43array(0) {
44}
45===DONE===
46