xref: /PHP-7.0/ext/wddx/tests/bug70661.phpt (revision bc4baf60)
1--TEST--
2Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
3--SKIPIF--
4<?php
5if (!extension_loaded("wddx")) print "skip";
6?>
7--FILE--
8<?php
9$fakezval = ptr2str(1122334455);
10$fakezval .= ptr2str(0);
11$fakezval .= "\x00\x00\x00\x00";
12$fakezval .= "\x01";
13$fakezval .= "\x00";
14$fakezval .= "\x00\x00";
15
16$x = <<<EOT
17<?xml version='1.0'?>
18<wddxPacket version='1.0'>
19<header/>
20	<data>
21		<struct>
22			<recordset rowCount='1' fieldNames='ryat'>
23				<field name='ryat'>
24					<var name='php_class_name'>
25						<string>stdClass</string>
26					</var>
27					<null/>
28				</field>
29			</recordset>
30		</struct>
31	</data>
32</wddxPacket>
33EOT;
34
35$y = wddx_deserialize($x);
36
37for ($i = 0; $i < 5; $i++) {
38	$v[$i] = $fakezval.$i;
39}
40
41var_dump($y);
42
43function ptr2str($ptr)
44{
45	$out = '';
46
47	for ($i = 0; $i < 8; $i++) {
48		$out .= chr($ptr & 0xff);
49		$ptr >>= 8;
50	}
51
52	return $out;
53}
54?>
55DONE
56--EXPECTF--
57array(1) {
58  [0]=>
59  array(1) {
60    ["ryat"]=>
61    array(2) {
62      ["php_class_name"]=>
63      string(8) "stdClass"
64      [0]=>
65      NULL
66    }
67  }
68}
69DONE