1--TEST-- 2Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize 3--FILE-- 4<?php 5// Fill any potential freed spaces until now. 6$filler = array(); 7for($i = 0; $i < 100; $i++) 8 $filler[] = ""; 9// Create our payload and unserialize it. 10$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}'; 11$free_me = unserialize($serialized_payload); 12// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0. 13$inc_ref_by_one = $free_me[2]; 14// The call to gc_collect_cycles will free '$free_me'. 15gc_collect_cycles(); 16// We now have multiple freed spaces. Fill all of them. 17$fill_freed_space_1 = "filler_zval_1"; 18$fill_freed_space_2 = "filler_zval_2"; 19var_dump($free_me); 20?> 21--EXPECTF-- 22array(3) { 23 [0]=> 24 array(3) { 25 [0]=> 26 *RECURSION* 27 [1]=> 28 *RECURSION* 29 [2]=> 30 object(ArrayObject)#%d (1) { 31 ["storage":"ArrayObject":private]=> 32 *RECURSION* 33 } 34 } 35 [1]=> 36 array(3) { 37 [0]=> 38 *RECURSION* 39 [1]=> 40 *RECURSION* 41 [2]=> 42 object(ArrayObject)#%d (1) { 43 ["storage":"ArrayObject":private]=> 44 *RECURSION* 45 } 46 } 47 [2]=> 48 object(ArrayObject)#%d (1) { 49 ["storage":"ArrayObject":private]=> 50 array(3) { 51 [0]=> 52 *RECURSION* 53 [1]=> 54 *RECURSION* 55 [2]=> 56 *RECURSION* 57 } 58 } 59} 60
