| Server IP : 79.136.114.73 / Your IP : 3.14.150.131 Web Server : Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.29 OpenSSL/1.0.1f System : Linux b8009 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:40:49 UTC 2019 x86_64 User : www-data ( 33) PHP Version : 5.5.9-1ubuntu4.29 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /proc/self/root/home/b8009/php-5.6.22/ext/curl/tests/ |
Upload File : |
--TEST--
Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
--SKIPIF--
<?php include 'skipif.inc'; ?>
--FILE--
<?php
function hdr_callback($ch, $data) {
// close the stream, causing the FILE structure to be free()'d
if($GLOBALS['f_file']) {
fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;
// cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
$FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238);
curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1));
}
return strlen($data);
}
include 'server.inc';
$host = curl_cli_server_start();
$temp_file = dirname(__FILE__) . '/body.tmp';
$url = "{$host}/get.php?test=getpost";
$ch = curl_init();
$f_file = fopen($temp_file, "w") or die("failed to open file\n");
curl_setopt($ch, CURLOPT_BUFFERSIZE, 10);
curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback");
curl_setopt($ch, CURLOPT_FILE, $f_file);
curl_setopt($ch, CURLOPT_URL, $url);
curl_exec($ch);
curl_close($ch);
?>
===DONE===
--CLEAN--
<?php
unlink(dirname(__FILE__) . '/body.tmp');
?>
--EXPECTF--
Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
array(1) {
["test"]=>
string(7) "getpost"
}
array(0) {
}
===DONE===