xref: /php-src/Zend/tests/bug76047.phpt (revision ef1e4891)
1--TEST--
2Bug #76047: Use-after-free when accessing already destructed backtrace arguments
3--FILE--
4<?php
5
6class Vuln {
7    public $a;
8    public function __destruct() {
9        unset($this->a);
10        $backtrace = (new Exception)->getTrace();
11        var_dump($backtrace);
12    }
13}
14
15function test($arg) {
16    $arg = str_shuffle(str_repeat('A', 79));
17    $vuln = new Vuln();
18    $vuln->a = $arg;
19}
20
21function test2($arg) {
22    $$arg = 1; // Trigger symbol table
23    $arg = str_shuffle(str_repeat('A', 79));
24    $vuln = new Vuln();
25    $vuln->a = $arg;
26}
27
28test('x');
29test2('x');
30
31?>
32--EXPECTF--
33array(1) {
34  [0]=>
35  array(6) {
36    ["file"]=>
37    string(%d) "%s"
38    ["line"]=>
39    int(%d)
40    ["function"]=>
41    string(10) "__destruct"
42    ["class"]=>
43    string(4) "Vuln"
44    ["type"]=>
45    string(2) "->"
46    ["args"]=>
47    array(0) {
48    }
49  }
50}
51array(1) {
52  [0]=>
53  array(6) {
54    ["file"]=>
55    string(%d) "%s"
56    ["line"]=>
57    int(%d)
58    ["function"]=>
59    string(10) "__destruct"
60    ["class"]=>
61    string(4) "Vuln"
62    ["type"]=>
63    string(2) "->"
64    ["args"]=>
65    array(0) {
66    }
67  }
68}
69