1--TEST-- 2GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row no space for the field) 3--EXTENSIONS-- 4mysqli 5--FILE-- 6<?php 7require_once 'fake_server.inc'; 8 9$port = 33305; 10$servername = "127.0.0.1"; 11$username = "root"; 12$password = ""; 13 14$process = run_fake_server_in_background('query_response_row_length_overflow', $port); 15$process->wait(); 16 17$conn = new mysqli($servername, $username, $password, "", $port); 18 19echo "[*] Query the fake server...\n"; 20$sql = "SELECT strval, strval FROM data"; 21 22$result = $conn->query($sql); 23 24if ($result->num_rows > 0) { 25 while ($row = $result->fetch_assoc()) { 26 var_dump($row['strval']); 27 } 28} 29$conn->close(); 30 31$process->terminate(true); 32 33print "done!"; 34?> 35--EXPECTF-- 36[*] Server started 37[*] Connection established 38[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264 39[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31 40[*] Sending - Server OK: 0700000200000002000000 41[*] Query the fake server... 42[*] Received: 200000000353454c4543542073747276616c2c2073747276616c2046524f4d2064617461 43[*] Sending - Malicious Query Response for data strval field [length overflow]: 01000001023200000203646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd01100000003200000303646566087068705f74657374046461746104646174610673747276616c0673747276616c0ce000c8000000fd011000000005000004fe000022000a0000050474657374fefefefefe05000006fe00002200 44 45Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after end of packet in %s on line %d 46[*] Received: 0100000001 47[*] Server finished 48done! 49
