xref: /PHP-8.0/ext/spl/tests/bug70366.phpt (revision f8d79582)
1--TEST--
2SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList
3--FILE--
4<?php
5class obj {
6    var $ryat;
7    function __wakeup() {
8        $this->ryat = 1;
9    }
10}
11
12$fakezval = ptr2str(1122334455);
13$fakezval .= ptr2str(0);
14$fakezval .= "\x00\x00\x00\x00";
15$fakezval .= "\x01";
16$fakezval .= "\x00";
17$fakezval .= "\x00\x00";
18
19$inner = 'i:1234;:i:1;';
20$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
21
22$data = unserialize($exploit);
23
24var_dump($data);
25
26function ptr2str($ptr)
27{
28    $out = '';
29    for ($i = 0; $i < 8; $i++) {
30        $out .= chr($ptr & 0xff);
31        $ptr >>= 8;
32    }
33    return $out;
34}
35?>
36--EXPECTF--
37array(5) {
38  [0]=>
39  int(1)
40  [1]=>
41  &int(1)
42  [2]=>
43  object(obj)#%d (1) {
44    ["ryat"]=>
45    &int(1)
46  }
47  [3]=>
48  array(1) {
49    [0]=>
50    int(1)
51  }
52  [4]=>
53  string(24) "%s"
54}
55