1--TEST-- 2Bug #69425 (Use After Free in unserialize()) 3--FILE-- 4<?php 5 6// POC 1 7class test 8{ 9 var $ryat; 10 11 function __wakeup() 12 { 13 $this->ryat = 1; 14 } 15} 16 17$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}'); 18var_dump($data); 19 20// POC 2 21$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}'); 22var_dump($data); 23 24?> 25--EXPECTF-- 26int(1) 27array(2) { 28 [0]=> 29 object(DateInterval)#1 (%d) { 30 ["y"]=> 31 int(-1) 32 ["m"]=> 33 int(-1) 34 ["d"]=> 35 int(-1) 36 ["h"]=> 37 int(-1) 38 ["i"]=> 39 int(-1) 40 ["s"]=> 41 int(-1) 42 ["f"]=> 43 float(0) 44 ["invert"]=> 45 int(0) 46 ["days"]=> 47 int(-1) 48 ["from_string"]=> 49 bool(false) 50 } 51 [1]=> 52 int(2) 53} 54
