1--TEST--
2Bug #70172 - Use After Free Vulnerability in unserialize()
3--FILE--
4<?php
5class obj implements Serializable {
6	var $data;
7	function serialize() {
8		return serialize($this->data);
9	}
10	function unserialize($data) {
11		$this->data = unserialize($data);
12	}
13}
14
15class obj2 {
16	var $ryat;
17	function __wakeup() {
18		$this->ryat = 1;
19	}
20}
21
22$fakezval = ptr2str(1122334455);
23$fakezval .= ptr2str(0);
24$fakezval .= "\x00\x00\x00\x00";
25$fakezval .= "\x01";
26$fakezval .= "\x00";
27$fakezval .= "\x00\x00";
28
29$inner = 'r:2;';
30$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}';
31
32$data = unserialize($exploit);
33
34for ($i = 0; $i < 5; $i++) {
35	$v[$i] = $fakezval.$i;
36}
37
38var_dump($data);
39
40function ptr2str($ptr)
41{
42	$out = '';
43	for ($i = 0; $i < 8; $i++) {
44		$out .= chr($ptr & 0xff);
45		$ptr >>= 8;
46	}
47	return $out;
48}
49?>
50--EXPECTF--
51array(2) {
52  [0]=>
53  object(obj2)#%d (1) {
54    ["ryat"]=>
55    int(1)
56  }
57  [1]=>
58  array(1) {
59    [0]=>
60    array(1) {
61      [0]=>
62      object(obj2)#%d (1) {
63        ["ryat"]=>
64        int(1)
65      }
66    }
67  }
68}