xref: /PHP-8.4/ext/gmp/tests/bug70284.phpt (revision e9f783fc)
1--TEST--
2Bug #70284 (Use after free vulnerability in unserialize() with GMP)
3--EXTENSIONS--
4gmp
5--FILE--
6<?php
7
8$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}';
9$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
10
11$data = unserialize($exploit);
12
13$fakezval = ptr2str(1122334455);
14$fakezval .= ptr2str(0);
15$fakezval .= "\x00\x00\x00\x00";
16$fakezval .= "\x01";
17$fakezval .= "\x00";
18$fakezval .= "\x00\x00";
19
20for ($i = 0; $i < 5; $i++) {
21    $v[$i] = $fakezval.$i;
22}
23
24var_dump($data);
25
26function ptr2str($ptr)
27{
28$out = '';
29    for ($i = 0; $i < 8; $i++) {
30        $out .= chr($ptr & 0xff);
31        $ptr >>= 8;
32    }
33    return $out;
34}
35?>
36--EXPECTF--
37Fatal error: Uncaught Exception: Could not unserialize number in %sbug70284.php:6
38Stack trace:
39#0 %sbug70284.php(6): unserialize('%s')
40#1 {main}
41  thrown in %sbug70284.php on line 6
42