1--TEST--
2Bug #70219 Use after free vulnerability in session deserializer
3--EXTENSIONS--
4session
5--INI--
6error_reporting=E_ALL&~E_DEPRECATED
7--FILE--
8<?php
9class obj implements Serializable {
10    var $data;
11    function serialize() {
12        return serialize($this->data);
13    }
14    function unserialize($data) {
15        session_start();
16        session_decode($data);
17    }
18}
19
20$inner = 'ryat|a:1:{i:0;a:1:{i:1;';
21$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
22
23$data = unserialize($exploit);
24
25for ($i = 0; $i < 5; $i++) {
26    $v[$i] = 'hi'.$i;
27}
28
29var_dump($data);
30?>
31--EXPECTF--
32Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
33
34Warning: unserialize(): Error at offset 55 of 56 bytes in %s on line %d
35bool(false)
36