xref: /PHP-7.0/ext/snmp/tests/bug72479.phpt (revision cab1c3b3)
1--TEST--
2Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
3--SKIPIF--
4<?php
5require_once(dirname(__FILE__).'/skipif.inc');
6?>
7--FILE--
8<?php
9$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
10$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
11$out = unserialize($poc);
12gc_collect_cycles();
13$fakezval = ptr2str(1122334455);
14$fakezval .= ptr2str(0);
15$fakezval .= "\x00\x00\x00\x00";
16$fakezval .= "\x01";
17$fakezval .= "\x00";
18$fakezval .= "\x00\x00";
19for ($i = 0; $i < 5; $i++) {
20    $v[$i] = $fakezval.$i;
21}
22var_dump($out[1]);
23
24function ptr2str($ptr)
25{
26    $out = '';
27    for ($i = 0; $i < 8; $i++) {
28        $out .= chr($ptr & 0xff);
29        $ptr >>= 8;
30    }
31    return $out;
32}
33?>
34--EXPECT--
35int(1)