1--TEST-- 2Bug #69425: Use After Free in unserialize() 3--FILE-- 4<?php 5 6// POC 1 7class test 8{ 9 var $ryat; 10 11 function __wakeup() 12 { 13 $this->ryat = 1; 14 } 15} 16 17$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}'); 18var_dump($data); 19 20// POC 2 21$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}'); 22var_dump($data); 23 24?> 25--EXPECT-- 26int(1) 27array(2) { 28 [0]=> 29 object(DateInterval)#1 (16) { 30 ["y"]=> 31 int(-1) 32 ["m"]=> 33 int(-1) 34 ["d"]=> 35 int(-1) 36 ["h"]=> 37 int(-1) 38 ["i"]=> 39 int(-1) 40 ["s"]=> 41 int(-1) 42 ["f"]=> 43 float(-1) 44 ["weekday"]=> 45 int(-1) 46 ["weekday_behavior"]=> 47 int(-1) 48 ["first_last_day_of"]=> 49 int(-1) 50 ["invert"]=> 51 int(0) 52 ["days"]=> 53 int(-1) 54 ["special_type"]=> 55 int(0) 56 ["special_amount"]=> 57 int(-1) 58 ["have_weekday_relative"]=> 59 int(0) 60 ["have_special_relative"]=> 61 int(0) 62 } 63 [1]=> 64 int(2) 65} 66
