1--TEST-- 2Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize 3--FILE-- 4<?php 5// Fill any potential freed spaces until now. 6$filler = array(); 7for($i = 0; $i < 100; $i++) 8 $filler[] = ""; 9// Create our payload and unserialize it. 10$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}'; 11$free_me = unserialize($serialized_payload); 12// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0. 13$inc_ref_by_one = $free_me[2]; 14// The call to gc_collect_cycles will free '$free_me'. 15gc_collect_cycles(); 16// We now have multiple freed spaces. Fill all of them. 17$fill_freed_space_1 = "filler_zval_1"; 18$fill_freed_space_2 = "filler_zval_2"; 19var_dump($free_me); 20?> 21--EXPECTF-- 22array(3) { 23 [0]=> 24 *RECURSION* 25 [1]=> 26 *RECURSION* 27 [2]=> 28 object(ArrayObject)#%d (1) { 29 ["storage":"ArrayObject":private]=> 30 *RECURSION* 31 } 32} 33
