1--TEST-- 2Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize 3--FILE-- 4<?php 5// The following array will be serialized and this representation will be freed later on. 6$free_me = array(new StdClass()); 7// Create our payload and unserialize it. 8$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}'; 9$unserialized_payload = unserialize($serialized_payload); 10gc_collect_cycles(); 11// The reference counter for $free_me is at -1 for PHP 7 right now. 12// Increment the reference counter by 1 -> rc is 0 13$a = $unserialized_payload[1]; 14// Increment the reference counter by 1 again -> rc is 1 15$b = $a; 16// Trigger free of $free_me (referenced by $m[1]). 17unset($b); 18$fill_freed_space_1 = "filler_zval_1"; 19$fill_freed_space_2 = "filler_zval_2"; 20$fill_freed_space_3 = "filler_zval_3"; 21$fill_freed_space_4 = "filler_zval_4"; 22debug_zval_dump($unserialized_payload[1]); 23?> 24--EXPECTF-- 25array(1) refcount(3){ 26 [0]=> 27 object(stdClass)#%d (0) refcount(1){ 28 } 29} 30
