File: bug68976.phpt

package info (click to toggle)
php5 5.6.7%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-kfreebsd
  • size: 150,376 kB
  • sloc: ansic: 727,510; php: 21,966; sh: 12,356; cpp: 8,763; xml: 6,105; yacc: 1,551; exp: 1,514; makefile: 1,461; pascal: 1,048; awk: 538; perl: 315; sql: 22
file content (37 lines) | stat: -rw-r--r-- 542 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
--TEST--
Bug #68976 Use After Free Vulnerability in unserialize()
--FILE--
<?php
class evilClass {
	public $name;
	function __wakeup() {
		unset($this->name);
	}
}

$fakezval = pack(
    'IIII',
    0x00100000,
    0x00000400,
    0x00000000,
    0x00000006 
);

$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');

for($i = 0; $i < 5; $i++) {
    $v[$i] = $fakezval.$i;
}

var_dump($data);
?>
===DONE===
--EXPECTF--
array(2) {
  [0]=>
  object(evilClass)#1 (0) {
  }
  [1]=>
  int(1)
}
===DONE===