xref: /PHP-7.3/ext/spl/tests/bug70365.phpt (revision 259057b2)
1--TEST--
2SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage
3--FILE--
4<?php
5class obj {
6	var $ryat;
7	function __wakeup() {
8		$this->ryat = 1;
9	}
10}
11
12$fakezval = ptr2str(1122334455);
13$fakezval .= ptr2str(0);
14$fakezval .= "\x00\x00\x00\x00";
15$fakezval .= "\x01";
16$fakezval .= "\x00";
17$fakezval .= "\x00\x00";
18
19$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
20$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
21
22$data = unserialize($exploit);
23
24var_dump($data);
25
26function ptr2str($ptr)
27{
28	$out = '';
29	for ($i = 0; $i < 8; $i++) {
30		$out .= chr($ptr & 0xff);
31		$ptr >>= 8;
32	}
33	return $out;
34}
35--EXPECTF--
36array(5) {
37  [0]=>
38  int(1)
39  [1]=>
40  &int(1)
41  [2]=>
42  object(obj)#%d (1) {
43    ["ryat"]=>
44    &int(1)
45  }
46  [3]=>
47  int(1)
48  [4]=>
49  string(24) "%s"
50}
51