xref: /PHP-8.0/ext/spl/tests/bug70365.phpt (revision 7aacc705)
1--TEST--
2SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage
3--FILE--
4<?php
5class obj {
6    var $ryat;
7    function __wakeup() {
8        $this->ryat = 1;
9    }
10}
11
12$fakezval = ptr2str(1122334455);
13$fakezval .= ptr2str(0);
14$fakezval .= "\x00\x00\x00\x00";
15$fakezval .= "\x01";
16$fakezval .= "\x00";
17$fakezval .= "\x00\x00";
18
19$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
20$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
21
22$data = unserialize($exploit);
23
24var_dump($data);
25
26function ptr2str($ptr)
27{
28    $out = '';
29    for ($i = 0; $i < 8; $i++) {
30        $out .= chr($ptr & 0xff);
31        $ptr >>= 8;
32    }
33    return $out;
34}
35?>
36--EXPECTF--
37array(5) {
38  [0]=>
39  int(1)
40  [1]=>
41  &int(1)
42  [2]=>
43  object(obj)#%d (1) {
44    ["ryat"]=>
45    &int(1)
46  }
47  [3]=>
48  int(1)
49  [4]=>
50  string(24) "%s"
51}
52