1--TEST-- 2Bug #68976 Use After Free Vulnerability in unserialize() 3--FILE-- 4<?php 5class evilClass { 6 public $name; 7 function __wakeup() { 8 unset($this->name); 9 } 10} 11 12$fakezval = pack( 13 'IIII', 14 0x00100000, 15 0x00000400, 16 0x00000000, 17 0x00000006 18); 19 20$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); 21 22for($i = 0; $i < 5; $i++) { 23 $v[$i] = $fakezval.$i; 24} 25 26var_dump($data); 27?> 28===DONE=== 29--EXPECT-- 30array(2) { 31 [0]=> 32 object(evilClass)#1 (0) { 33 } 34 [1]=> 35 int(1) 36} 37===DONE=== 38
