1--TEST--
2Bug #70219 Use after free vulnerability in session deserializer
3--EXTENSIONS--
4session
5--FILE--
6<?php
7ini_set('session.serialize_handler', 'php_serialize');
8session_start();
9
10class obj implements Serializable {
11    var $data;
12    function serialize() {
13        return serialize($this->data);
14    }
15    function unserialize($data) {
16        session_decode($data);
17    }
18}
19
20$inner = 'r:2;';
21$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
22
23$data = unserialize($exploit);
24
25for ($i = 0; $i < 5; $i++) {
26    $v[$i] = 'hi'.$i;
27}
28
29var_dump($data);
30var_dump($_SESSION);
31?>
32--EXPECTF--
33Deprecated: %s implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in %s on line %d
34array(2) {
35  [0]=>
36  object(obj)#%d (1) {
37    ["data"]=>
38    NULL
39  }
40  [1]=>
41  object(obj)#%d (1) {
42    ["data"]=>
43    NULL
44  }
45}
46object(obj)#1 (1) {
47  ["data"]=>
48  NULL
49}
50