1--TEST-- 2SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList 3--FILE-- 4<?php 5$inner = 'i:1;'; 6$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; 7 8$data = unserialize($exploit); 9 10for($i = 0; $i < 5; $i++) { 11 $v[$i] = 'hi'.$i; 12} 13 14var_dump($data); 15?> 16--EXPECTF-- 17array(2) { 18 [0]=> 19 object(SplDoublyLinkedList)#%d (2) { 20 ["flags":"SplDoublyLinkedList":private]=> 21 int(1) 22 ["dllist":"SplDoublyLinkedList":private]=> 23 array(0) { 24 } 25 } 26 [1]=> 27 int(1) 28} 29
