1--TEST-- 2SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject 3--FILE-- 4<?php 5$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}'; 6$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; 7$data = unserialize($exploit); 8 9var_dump($data); 10?> 11--EXPECTF-- 12Fatal error: Uncaught InvalidArgumentException: Overloaded object of type DateInterval is not compatible with ArrayObject in %s 13Stack trace: 14%s 15%s 16%s 17%s 18
