1--TEST-- 2Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize 3--SKIPIF-- 4<?php 5if(!class_exists('zip')) die('skip ZipArchive'); 6?> 7--FILE-- 8<?php 9// The following array will be serialized and this representation will be freed later on. 10$free_me = array(new StdClass()); 11// Create our payload and unserialize it. 12$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}'; 13$unserialized_payload = unserialize($serialized_payload); 14gc_collect_cycles(); 15// The reference counter for $free_me is at -1 for PHP 7 right now. 16// Increment the reference counter by 1 -> rc is 0 17$a = $unserialized_payload[1]; 18// Increment the reference counter by 1 again -> rc is 1 19$b = $a; 20// Trigger free of $free_me (referenced by $m[1]). 21unset($b); 22$fill_freed_space_1 = "filler_zval_1"; 23$fill_freed_space_2 = "filler_zval_2"; 24$fill_freed_space_3 = "filler_zval_3"; 25$fill_freed_space_4 = "filler_zval_4"; 26debug_zval_dump($unserialized_payload[1]); 27?> 28--EXPECTF-- 29array(1) refcount(3){ 30 [0]=> 31 object(stdClass)#%d (0) refcount(1){ 32 } 33} 34