File: bug00896-code_ws.phpt

package info (click to toggle)
php-mongo 1.5.7-1
  • links: PTS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 11,040 kB
  • ctags: 2,802
  • sloc: ansic: 17,632; xml: 2,195; php: 1,630; pascal: 330; makefile: 52; sh: 39
file content (104 lines) | stat: -rw-r--r-- 3,145 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
--TEST--
Test for PHP-896: Segfault decoding BSON reads past buffer endpoint (code_ws)
--SKIPIF--
<?php require dirname(__FILE__) ."/skipif.inc"; ?>
--FILE--
<?php

function createBson($type, $len) {
    $bson  = pack('C', $type);                     // byte: field type
    $bson .= pack('a*x', 'x');                     // cstring: field name
    $bson .= pack(str_repeat('x', $len));          // null bytes (field value)
    $bson .= pack('x');                            // null byte: document terminator
    $bson  = pack('V', 4 + strlen($bson)) . $bson; // int32: document length

    return $bson;
}

function createStringElement($len, $bytes) {
    $bson  = pack('V', $len);                      // int32: string length
    $bson .= pack('a*x', $bytes);                  // cstring: string value

    return $bson;
}

function createCodeWithScope($len, $code, $document) {
    $bson  = pack('C', 0x0F);                      // byte: field type
    $bson .= pack('a*x', 'x');                     // cstring: field name
    $bson .= pack('V', $len);                      // int32: string and document length
    $bson .= $code;                                // Code string
    $bson .= $document;                            // Scope document
    $bson .= pack('x');                            // null byte: document terminator
    $bson  = pack('V', 4 + strlen($bson)) . $bson; // int32: document length

    return $bson;
}

echo "\nTesting code_ws type with valid buffer length\n";

$code = createStringElement(1, '');
$scope = createBson(0x08, 1);

var_dump(bson_decode(createCodeWithScope(5 + strlen($code) + strlen($scope), $code, $scope)));

echo "\nTesting code_ws type with invalid buffer length\n";

try {
    bson_decode(createBson(0x0F, 3));
    echo "FAILED\n";
} catch (MongoCursorException $e) {
    var_dump($e->getMessage(), $e->getCode());
}

echo "\nTesting code_ws type with invalid code buffer length\n";

$code = createStringElement(20, '');
$scope = createBson(0x08, 1);

try {
    bson_decode(createCodeWithScope(5 + strlen($code) + strlen($scope), $code, $scope));
    echo "FAILED\n";
} catch (MongoCursorException $e) {
    var_dump($e->getMessage(), $e->getCode());
}

echo "\nTesting code_ws type with invalid scope buffer length\n";

$code = createStringElement(1, '');
$scope = pack('Vx', 50);

try {
    bson_decode(createCodeWithScope(5 + strlen($code) + strlen($scope), $code, $scope));
    echo "FAILED\n";
} catch (MongoCursorException $e) {
    var_dump($e->getMessage(), $e->getCode());
}

?>
--EXPECTF--

Testing code_ws type with valid buffer length
array(1) {
  ["x"]=>
  object(MongoCode)#%d (2) {
    ["code"]=>
    string(0) ""
    ["scope"]=>
    array(1) {
      ["x"]=>
      bool(false)
    }
  }
}

Testing code_ws type with invalid buffer length
string(56) "Reading data for type 0f would exceed buffer for key "x""
int(21)

Testing code_ws type with invalid code buffer length
string(56) "Reading data for type 0f would exceed buffer for key "x""
int(21)

Testing code_ws type with invalid scope buffer length
string(56) "Reading data for type 0f would exceed buffer for key "x""
int(21)