1--TEST--
2Bug #70172 - Use After Free Vulnerability in unserialize()
3--XFAIL--
4Memory leak on debug build, needs fix.
5--FILE--
6<?php
7class obj implements Serializable {
8	var $data;
9	function serialize() {
10		return serialize($this->data);
11	}
12	function unserialize($data) {
13		$this->data = unserialize($data);
14	}
15}
16
17$fakezval = ptr2str(1122334455);
18$fakezval .= ptr2str(0);
19$fakezval .= "\x00\x00\x00\x00";
20$fakezval .= "\x01";
21$fakezval .= "\x00";
22$fakezval .= "\x00\x00";
23
24$inner = 'r:2;';
25$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
26
27$data = unserialize($exploit);
28
29for ($i = 0; $i < 5; $i++) {
30	$v[$i] = $fakezval.$i;
31}
32
33var_dump($data);
34
35function ptr2str($ptr)
36{
37	$out = '';
38	for ($i = 0; $i < 8; $i++) {
39		$out .= chr($ptr & 0xff);
40		$ptr >>= 8;
41	}
42	return $out;
43}
44?>
45--EXPECTF--
46array(2) {
47  [0]=>
48  int(1)
49  [1]=>
50  object(obj)#%d (1) {
51    ["data"]=>
52    int(1)
53  }
54}