1--TEST--
2Bug #70172 - Use After Free Vulnerability in unserialize()
3--FILE--
4<?php
5class obj implements Serializable {
6    var $data;
7    function serialize() {
8        return serialize($this->data);
9    }
10    function unserialize($data) {
11        $this->data = unserialize($data);
12    }
13}
14
15class obj2 {
16    var $ryat;
17    function __wakeup() {
18        $this->ryat = 1;
19    }
20}
21
22$fakezval = ptr2str(1122334455);
23$fakezval .= ptr2str(0);
24$fakezval .= "\x00\x00\x00\x00";
25$fakezval .= "\x01";
26$fakezval .= "\x00";
27$fakezval .= "\x00\x00";
28
29$inner = 'r:2;';
30$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}';
31
32$data = unserialize($exploit);
33
34for ($i = 0; $i < 5; $i++) {
35    $v[$i] = $fakezval.$i;
36}
37
38var_dump($data);
39
40function ptr2str($ptr)
41{
42    $out = '';
43    for ($i = 0; $i < 8; $i++) {
44        $out .= chr($ptr & 0xff);
45        $ptr >>= 8;
46    }
47    return $out;
48}
49?>
50--EXPECTF--
51array(2) {
52  [0]=>
53  object(obj2)#%d (1) {
54    ["ryat"]=>
55    int(1)
56  }
57  [1]=>
58  array(1) {
59    [0]=>
60    array(1) {
61      [0]=>
62      object(obj2)#%d (1) {
63        ["ryat"]=>
64        int(1)
65      }
66    }
67  }
68}
69