1--TEST--
2Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
3--FILE--
4<?php
5// The following array will be serialized and this representation will be freed later on.
6$free_me = array(new StdClass());
7// Create our payload and unserialize it.
8$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
9$unserialized_payload = unserialize($serialized_payload);
10gc_collect_cycles();
11// The reference counter for $free_me is at -1 for PHP 7 right now.
12// Increment the reference counter by 1 -> rc is 0
13$a = $unserialized_payload[1];
14// Increment the reference counter by 1 again -> rc is 1
15$b = $a;
16// Trigger free of $free_me (referenced by $m[1]).
17unset($b);
18$fill_freed_space_1 = "filler_zval_1";
19$fill_freed_space_2 = "filler_zval_2";
20$fill_freed_space_3 = "filler_zval_3";
21$fill_freed_space_4 = "filler_zval_4";
22debug_zval_dump($unserialized_payload[1]);
23?>
24--EXPECTF--
25array(1) refcount(3){
26  [0]=>
27  object(stdClass)#%d (0) refcount(1){
28  }
29}
30