1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
--TEST--
Bug #76047: Use-after-free when accessing already destructed backtrace arguments
--FILE--
<?php
class Vuln {
public $a;
public function __destruct() {
unset($this->a);
$backtrace = (new Exception)->getTrace();
var_dump($backtrace);
}
}
function test($arg) {
$arg = str_shuffle(str_repeat('A', 79));
$vuln = new Vuln();
$vuln->a = $arg;
}
function test2($arg) {
$$arg = 1; // Trigger symbol table
$arg = str_shuffle(str_repeat('A', 79));
$vuln = new Vuln();
$vuln->a = $arg;
}
test('x');
test2('x');
?>
--EXPECTF--
array(1) {
[0]=>
array(6) {
["file"]=>
string(%d) "%s"
["line"]=>
int(%d)
["function"]=>
string(10) "__destruct"
["class"]=>
string(4) "Vuln"
["type"]=>
string(2) "->"
["args"]=>
array(0) {
}
}
}
array(1) {
[0]=>
array(6) {
["file"]=>
string(%d) "%s"
["line"]=>
int(%d)
["function"]=>
string(10) "__destruct"
["class"]=>
string(4) "Vuln"
["type"]=>
string(2) "->"
["args"]=>
array(0) {
}
}
}
|
