1--TEST--
2GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - stmt row string buffer over-read)
3--EXTENSIONS--
4mysqli
5--FILE--
6<?php
7require_once 'fake_server.inc';
8
9$port = 33305;
10$servername = "127.0.0.1";
11$username = "root";
12$password = "";
13
14$process = run_fake_server_in_background('stmt_response_row_over_read_string', $port);
15$process->wait();
16
17$conn = new mysqli($servername, $username, $password, "", $port);
18
19echo "[*] Preparing statement on the fake server...\n";
20$stmt = $conn->prepare("SELECT item FROM items");
21
22$stmt->execute();
23$result = $stmt->get_result();
24
25// Fetch and display the results
26if ($result->num_rows > 0) {
27    while ($row = $result->fetch_assoc()) {
28        var_dump($row["item"]);
29    }
30}
31$stmt->close();
32$conn->close();
33
34$process->terminate(true);
35
36print "done!";
37?>
38--EXPECTF--
39[*] Server started
40[*] Connection established
41[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264
42[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31
43[*] Sending - Server OK: 0700000200000002000000
44[*] Preparing statement on the fake server...
45[*] Received: 170000001653454c454354206974656d2046524f4d206974656d73
46[*] Sending - Stmt prepare items: 0c0000010001000000010000000000003000000203646566087068705f74657374056974656d73056974656d73046974656d046974656d0ce000c8000000fd011000000005000003fe00000200
47[*] Received: 0a00000017010000000001000000
48[*] Sending - Malicious Stmt Response for items [Extract heap through buffer over-read]: 01000001013000000203646566087068705f74657374056974656d73056974656d73046974656d046974656d0ce000c8000000fd011000000005000003fe00002200070000040000fa7465737405000005fe00002200
49
50Warning: mysqli_result::fetch_assoc(): Malformed server packet. Field length pointing after the end of packet in %s on line %d
51[*] Received: 0500000019010000000100000001
52[*] Server finished
53done!
54