1--TEST--
2Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
3--SKIPIF--
4<?php
5if(!class_exists('zip')) die('skip ZipArchive');
6?>
7--FILE--
8<?php
9// The following array will be serialized and this representation will be freed later on.
10$free_me = array(new StdClass());
11// Create our payload and unserialize it.
12$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
13$unserialized_payload = unserialize($serialized_payload);
14gc_collect_cycles();
15// The reference counter for $free_me is at -1 for PHP 7 right now.
16// Increment the reference counter by 1 -> rc is 0
17$a = $unserialized_payload[1];
18// Increment the reference counter by 1 again -> rc is 1
19$b = $a;
20// Trigger free of $free_me (referenced by $m[1]).
21unset($b);
22$fill_freed_space_1 = "filler_zval_1";
23$fill_freed_space_2 = "filler_zval_2";
24$fill_freed_space_3 = "filler_zval_3";
25$fill_freed_space_4 = "filler_zval_4";
26debug_zval_dump($unserialized_payload[1]);
27?>
28--EXPECTF--
29array(1) refcount(3){
30  [0]=>
31  object(stdClass)#%d (0) refcount(1){
32  }
33}
34