1--TEST-- 2Bug #69425: Use After Free in unserialize() 3--FILE-- 4<?php 5 6// POC 1 7class test 8{ 9 var $ryat; 10 11 function __wakeup() 12 { 13 $this->ryat = 1; 14 } 15} 16 17$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}'); 18var_dump($data); 19 20// POC 2 21$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}'); 22var_dump($data); 23 24?> 25--EXPECT-- 26int(1) 27array(2) { 28 [0]=> 29 object(DateInterval)#1 (15) { 30 ["y"]=> 31 int(-1) 32 ["m"]=> 33 int(-1) 34 ["d"]=> 35 int(-1) 36 ["h"]=> 37 int(-1) 38 ["i"]=> 39 int(-1) 40 ["s"]=> 41 int(-1) 42 ["weekday"]=> 43 int(-1) 44 ["weekday_behavior"]=> 45 int(-1) 46 ["first_last_day_of"]=> 47 int(-1) 48 ["invert"]=> 49 int(0) 50 ["days"]=> 51 int(-1) 52 ["special_type"]=> 53 int(0) 54 ["special_amount"]=> 55 int(-1) 56 ["have_weekday_relative"]=> 57 int(0) 58 ["have_special_relative"]=> 59 int(0) 60 } 61 [1]=> 62 int(2) 63} 64