File: bug00896-dbpointer.phpt

package info (click to toggle)
php-mongo 1.5.7-1
  • links: PTS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 11,040 kB
  • ctags: 2,802
  • sloc: ansic: 17,632; xml: 2,195; php: 1,630; pascal: 330; makefile: 52; sh: 39
file content (94 lines) | stat: -rw-r--r-- 2,838 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
--TEST--
Test for PHP-896: Segfault decoding BSON reads past buffer endpoint (DBPointer)
--SKIPIF--
<?php require dirname(__FILE__) ."/skipif.inc"; ?>
--FILE--
<?php

function createBson($type, $len) {
    $bson  = pack('C', $type);                     // byte: field type
    $bson .= pack('a*x', 'x');                     // cstring: field name
    $bson .= pack(str_repeat('x', $len));          // null bytes (field value)
    $bson .= pack('x');                            // null byte: document terminator
    $bson  = pack('V', 4 + strlen($bson)) . $bson; // int32: document length

    return $bson;
}

function createStringElement($len, $bytes) {
    $bson  = pack('V', $len);                      // int32: string length
    $bson .= pack('a*x', $bytes);                  // cstring: string value

    return $bson;
}

function createDBPointer($ns, $oidLen) {
    $bson  = pack('C', 0x0C);                      // byte: field type
    $bson .= pack('a*x', 'x');                     // cstring: field name
    $bson .= $ns;                                  // Namespace string
    $bson .= pack(str_repeat('x', $oidLen));       // ObjectId bytes
    $bson .= pack('x');                            // null byte: document terminator
    $bson  = pack('V', 4 + strlen($bson)) . $bson; // int32: document length

    return $bson;
}

echo "\nTesting DBPointer type with valid buffer length\n";

var_dump(bson_decode(createDBPointer(createStringElement(1, ''), 12)));

echo "\nTesting DBPointer type with invalid buffer length\n";

try {
    bson_decode(createBson(0x0C, 3));
    echo "FAILED\n";
} catch (MongoCursorException $e) {
    var_dump($e->getMessage(), $e->getCode());
}

echo "\nTesting DBPointer type with invalid namespace buffer length\n";

try {
    bson_decode(createDBPointer(createStringElement(6, ''), 0));
    echo "FAILED\n";
} catch (MongoCursorException $e) {
    var_dump($e->getMessage(), $e->getCode());
}

echo "\nTesting DBPointer type with invalid ObjectId buffer length\n";

try {
    bson_decode(createDBPointer(createStringElement(1, ''), 6));
    echo "FAILED\n";
} catch (MongoCursorException $e) {
    var_dump($e->getMessage(), $e->getCode());
}

?>
--EXPECTF--

Testing DBPointer type with valid buffer length
array(1) {
  ["x"]=>
  array(2) {
    ["$ref"]=>
    string(0) ""
    ["$id"]=>
    object(MongoId)#%d (1) {
      ["$id"]=>
      string(24) "000000000000000000000000"
    }
  }
}

Testing DBPointer type with invalid buffer length
string(56) "Reading data for type 0c would exceed buffer for key "x""
int(21)

Testing DBPointer type with invalid namespace buffer length
string(56) "Reading data for type 0c would exceed buffer for key "x""
int(21)

Testing DBPointer type with invalid ObjectId buffer length
string(56) "Reading data for type 0c would exceed buffer for key "x""
int(21)