xref: /PHP-7.3/ext/gmp/tests/bug70284.phpt (revision f26fc527)
1--TEST--
2Bug #70284 (Use after free vulnerability in unserialize() with GMP)
3--SKIPIF--
4<?php if (!extension_loaded("gmp")) print "skip"; ?>
5--FILE--
6<?php
7
8$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}';
9$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
10
11$data = unserialize($exploit);
12
13$fakezval = ptr2str(1122334455);
14$fakezval .= ptr2str(0);
15$fakezval .= "\x00\x00\x00\x00";
16$fakezval .= "\x01";
17$fakezval .= "\x00";
18$fakezval .= "\x00\x00";
19
20for ($i = 0; $i < 5; $i++) {
21	$v[$i] = $fakezval.$i;
22}
23
24var_dump($data);
25
26function ptr2str($ptr)
27{
28$out = '';
29	for ($i = 0; $i < 8; $i++) {
30		$out .= chr($ptr & 0xff);
31		$ptr >>= 8;
32	}
33	return $out;
34}
35?>
36--EXPECTF--
37Fatal error: Uncaught Exception: Could not unserialize number in %sbug70284.php:6
38Stack trace:
39#0 %sbug70284.php(6): unserialize('%s')
40#1 {main}
41  thrown in %sbug70284.php on line 6
42