1--TEST-- 2Bug #76047: Use-after-free when accessing already destructed backtrace arguments 3--FILE-- 4<?php 5 6class Vuln { 7 public $a; 8 public function __destruct() { 9 unset($this->a); 10 $backtrace = (new Exception)->getTrace(); 11 var_dump($backtrace); 12 } 13} 14 15function test($arg) { 16 $arg = str_shuffle(str_repeat('A', 79)); 17 $vuln = new Vuln(); 18 $vuln->a = $arg; 19} 20 21function test2($arg) { 22 $$arg = 1; // Trigger symbol table 23 $arg = str_shuffle(str_repeat('A', 79)); 24 $vuln = new Vuln(); 25 $vuln->a = $arg; 26} 27 28test('x'); 29test2('x'); 30 31?> 32--EXPECTF-- 33array(1) { 34 [0]=> 35 array(6) { 36 ["file"]=> 37 string(%d) "%s" 38 ["line"]=> 39 int(%d) 40 ["function"]=> 41 string(10) "__destruct" 42 ["class"]=> 43 string(4) "Vuln" 44 ["type"]=> 45 string(2) "->" 46 ["args"]=> 47 array(0) { 48 } 49 } 50} 51array(1) { 52 [0]=> 53 array(6) { 54 ["file"]=> 55 string(%d) "%s" 56 ["line"]=> 57 int(%d) 58 ["function"]=> 59 string(10) "__destruct" 60 ["class"]=> 61 string(4) "Vuln" 62 ["type"]=> 63 string(2) "->" 64 ["args"]=> 65 array(0) { 66 } 67 } 68} 69
