1--TEST-- 2Bug #73144 (Use-afte-free in ArrayObject Deserialization) 3--FILE-- 4<?php 5try { 6$token = 'a:2:{i:0;O:1:"0":2:{s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:{x:i:0;r}'; 7$obj = unserialize($token); 8} catch(Exception $e) { 9 echo $e->getMessage()."\n"; 10} 11 12try { 13$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:{x:i:0;r}'; 14$obj = unserialize($token); 15} catch(Exception $e) { 16 echo $e->getMessage()."\n"; 17} 18 19try { 20$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}'; 21$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; 22unserialize($exploit); 23} catch(Exception $e) { 24 echo $e->getMessage()."\n"; 25} 26?> 27--EXPECTF-- 28Error at offset 6 of 7 bytes 29 30Warning: unserialize(): Error at offset 19 of 79 bytes in %s on line %d 31 32Warning: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d 33Error at offset 24 of 34 bytes 34
