xref: /PHP-7.4/ext/spl/tests/bug70168.phpt (revision c7d3c027)
1--TEST--
2SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage
3--FILE--
4<?php
5$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}';
6$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
7
8$data = unserialize($exploit);
9
10for($i = 0; $i < 5; $i++) {
11    $v[$i] = 'hi'.$i;
12}
13
14var_dump($data);
15?>
16===DONE===
17--EXPECTF--
18array(2) {
19  [0]=>
20  object(SplObjectStorage)#%d (1) {
21    ["storage":"SplObjectStorage":private]=>
22    array(1) {
23      ["%s"]=>
24      array(2) {
25        ["obj"]=>
26        object(stdClass)#2 (0) {
27        }
28        ["inf"]=>
29        NULL
30      }
31    }
32  }
33  [1]=>
34  int(1)
35}
36===DONE===
37