1--TEST-- 2Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization) 3--SKIPIF-- 4<?php 5if (!extension_loaded("wddx")) print "skip"; 6?> 7--FILE-- 8<?php 9$fakezval = ptr2str(1122334455); 10$fakezval .= ptr2str(0); 11$fakezval .= "\x00\x00\x00\x00"; 12$fakezval .= "\x01"; 13$fakezval .= "\x00"; 14$fakezval .= "\x00\x00"; 15 16$x = <<<EOT 17<?xml version='1.0'?> 18<wddxPacket version='1.0'> 19<header/> 20 <data> 21 <struct> 22 <recordset rowCount='1' fieldNames='ryat'> 23 <field name='ryat'> 24 <var name='php_class_name'> 25 <string>stdClass</string> 26 </var> 27 <null/> 28 </field> 29 </recordset> 30 </struct> 31 </data> 32</wddxPacket> 33EOT; 34 35$y = wddx_deserialize($x); 36 37for ($i = 0; $i < 5; $i++) { 38 $v[$i] = $fakezval.$i; 39} 40 41var_dump($y); 42 43function ptr2str($ptr) 44{ 45 $out = ''; 46 47 for ($i = 0; $i < 8; $i++) { 48 $out .= chr($ptr & 0xff); 49 $ptr >>= 8; 50 } 51 52 return $out; 53} 54?> 55DONE 56--EXPECTF-- 57array(1) { 58 [0]=> 59 array(1) { 60 ["ryat"]=> 61 array(2) { 62 ["php_class_name"]=> 63 string(8) "stdClass" 64 [0]=> 65 NULL 66 } 67 } 68} 69DONE
