xref: /PHP-7.1/ext/gmp/tests/bug70284.phpt (revision d735957c)
1--TEST--
2Bug #70284 (Use after free vulnerability in unserialize() with GMP)
3--SKIPIF--
4<?php if (!extension_loaded("gmp")) print "skip"; ?>
5--FILE--
6<?php
7
8$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}';
9$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
10
11$data = unserialize($exploit);
12
13$fakezval = ptr2str(1122334455);
14$fakezval .= ptr2str(0);
15$fakezval .= "\x00\x00\x00\x00";
16$fakezval .= "\x01";
17$fakezval .= "\x00";
18$fakezval .= "\x00\x00";
19
20for ($i = 0; $i < 5; $i++) {
21	$v[$i] = $fakezval.$i;
22}
23
24var_dump($data);
25
26function ptr2str($ptr)
27{
28$out = '';
29	for ($i = 0; $i < 8; $i++) {
30		$out .= chr($ptr & 0xff);
31		$ptr >>= 8;
32	}
33	return $out;
34}
35?>
36--EXPECTF--
37array(2) {
38  [0]=>
39  string(1) "1"
40  [1]=>
41  object(GMP)#%d (2) {
42    [0]=>
43    array(1) {
44      [0]=>
45      string(1) "1"
46    }
47    ["num"]=>
48    string(1) "1"
49  }
50}
51