1--TEST--
2Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
3--FILE--
4<?php
5// Fill any potential freed spaces until now.
6$filler = array();
7for($i = 0; $i < 100; $i++)
8	$filler[] = "";
9// Create our payload and unserialize it.
10$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
11$free_me = unserialize($serialized_payload);
12// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
13$inc_ref_by_one = $free_me[2];
14// The call to gc_collect_cycles will free '$free_me'.
15gc_collect_cycles();
16// We now have multiple freed spaces. Fill all of them.
17$fill_freed_space_1 = "filler_zval_1";
18$fill_freed_space_2 = "filler_zval_2";
19var_dump($free_me);
20?>
21--EXPECTF--
22array(3) {
23  [0]=>
24  array(3) {
25    [0]=>
26    *RECURSION*
27    [1]=>
28    *RECURSION*
29    [2]=>
30    object(ArrayObject)#%d (1) {
31      ["storage":"ArrayObject":private]=>
32      *RECURSION*
33    }
34  }
35  [1]=>
36  array(3) {
37    [0]=>
38    *RECURSION*
39    [1]=>
40    *RECURSION*
41    [2]=>
42    object(ArrayObject)#%d (1) {
43      ["storage":"ArrayObject":private]=>
44      *RECURSION*
45    }
46  }
47  [2]=>
48  object(ArrayObject)#%d (1) {
49    ["storage":"ArrayObject":private]=>
50    array(3) {
51      [0]=>
52      *RECURSION*
53      [1]=>
54      *RECURSION*
55      [2]=>
56      *RECURSION*
57    }
58  }
59}
60