xref: /PHP-5.4/ext/spl/tests/bug70155.phpt (revision c8f07ad4)
1--TEST--
2SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject
3--FILE--
4<?php
5$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}';
6$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
7$data = unserialize($exploit);
8
9var_dump($data);
10?>
11===DONE===
12--EXPECTF--
13object(ArrayObject)#1 (2) {
14  [0]=>
15  int(0)
16  ["storage":"ArrayObject":private]=>
17  object(DateInterval)#2 (15) {
18    ["y"]=>
19    int(3)
20    ["m"]=>
21    int(-1)
22    ["d"]=>
23    int(-1)
24    ["h"]=>
25    int(-1)
26    ["i"]=>
27    int(-1)
28    ["s"]=>
29    int(-1)
30    ["weekday"]=>
31    int(-1)
32    ["weekday_behavior"]=>
33    int(-1)
34    ["first_last_day_of"]=>
35    int(-1)
36    ["invert"]=>
37    int(0)
38    ["days"]=>
39    int(-1)
40    ["special_type"]=>
41    int(0)
42    ["special_amount"]=>
43    int(-1)
44    ["have_weekday_relative"]=>
45    int(0)
46    ["have_special_relative"]=>
47    int(0)
48  }
49}
50===DONE===
51