1--TEST--
2Bug #70172 - Use After Free Vulnerability in unserialize()
3--FILE--
4<?php
5class obj implements Serializable {
6    var $data;
7    function serialize() {
8        return serialize($this->data);
9    }
10    function unserialize($data) {
11        $this->data = unserialize($data);
12    }
13}
14
15$fakezval = ptr2str(1122334455);
16$fakezval .= ptr2str(0);
17$fakezval .= "\x00\x00\x00\x00";
18$fakezval .= "\x01";
19$fakezval .= "\x00";
20$fakezval .= "\x00\x00";
21
22$inner = 'R:2;';
23$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
24
25$data = unserialize($exploit);
26
27for ($i = 0; $i < 5; $i++) {
28    $v[$i] = $fakezval.$i;
29}
30
31var_dump($data);
32
33function ptr2str($ptr)
34{
35    $out = '';
36    for ($i = 0; $i < 8; $i++) {
37        $out .= chr($ptr & 0xff);
38        $ptr >>= 8;
39    }
40    return $out;
41}
42?>
43--EXPECTF--
44Deprecated: %s implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in %s on line %d
45array(2) {
46  [0]=>
47  int(1)
48  [1]=>
49  object(obj)#%d (1) {
50    ["data"]=>
51    int(1)
52  }
53}
54