1--TEST-- 2SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject 3--FILE-- 4<?php 5$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}'; 6$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; 7$data = unserialize($exploit); 8 9var_dump($data); 10?> 11===DONE=== 12--EXPECTF-- 13object(ArrayObject)#1 (2) { 14 [0]=> 15 int(0) 16 ["storage":"ArrayObject":private]=> 17 object(DateInterval)#2 (15) { 18 ["y"]=> 19 int(3) 20 ["m"]=> 21 int(-1) 22 ["d"]=> 23 int(-1) 24 ["h"]=> 25 int(-1) 26 ["i"]=> 27 int(-1) 28 ["s"]=> 29 int(-1) 30 ["weekday"]=> 31 int(-1) 32 ["weekday_behavior"]=> 33 int(-1) 34 ["first_last_day_of"]=> 35 int(-1) 36 ["invert"]=> 37 int(0) 38 ["days"]=> 39 int(-1) 40 ["special_type"]=> 41 int(0) 42 ["special_amount"]=> 43 int(-1) 44 ["have_weekday_relative"]=> 45 int(0) 46 ["have_special_relative"]=> 47 int(0) 48 } 49} 50===DONE=== 51
