xref: /PHP-8.1/ext/snmp/tests/bug72479.phpt (revision b5a14e6c)
1--TEST--
2Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
3--EXTENSIONS--
4snmp
5--SKIPIF--
6<?php
7require_once(__DIR__.'/skipif.inc');
8?>
9--FILE--
10<?php
11$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
12$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
13$out = unserialize($poc);
14gc_collect_cycles();
15$fakezval = ptr2str(1122334455);
16$fakezval .= ptr2str(0);
17$fakezval .= "\x00\x00\x00\x00";
18$fakezval .= "\x01";
19$fakezval .= "\x00";
20$fakezval .= "\x00\x00";
21for ($i = 0; $i < 5; $i++) {
22    $v[$i] = $fakezval.$i;
23}
24var_dump($out[1]);
25
26function ptr2str($ptr)
27{
28    $out = '';
29    for ($i = 0; $i < 8; $i++) {
30        $out .= chr($ptr & 0xff);
31        $ptr >>= 8;
32    }
33    return $out;
34}
35?>
36--EXPECT--
37int(1)
38