1--TEST--
2Bug #70172 - Use After Free Vulnerability in unserialize()
3--FILE--
4<?php
5class obj implements Serializable {
6    var $data;
7    function serialize() {
8        return serialize($this->data);
9    }
10    function unserialize($data) {
11        $this->data = unserialize($data);
12    }
13}
14
15class obj2 {
16    var $ryat;
17    function __wakeup() {
18        $this->ryat = 1;
19    }
20}
21
22$fakezval = ptr2str(1122334455);
23$fakezval .= ptr2str(0);
24$fakezval .= "\x00\x00\x00\x00";
25$fakezval .= "\x01";
26$fakezval .= "\x00";
27$fakezval .= "\x00\x00";
28
29$inner = 'r:2;';
30$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}';
31
32$data = unserialize($exploit);
33
34for ($i = 0; $i < 5; $i++) {
35    $v[$i] = $fakezval.$i;
36}
37
38var_dump($data);
39
40function ptr2str($ptr)
41{
42    $out = '';
43    for ($i = 0; $i < 8; $i++) {
44        $out .= chr($ptr & 0xff);
45        $ptr >>= 8;
46    }
47    return $out;
48}
49?>
50--EXPECTF--
51Deprecated: %s implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in %s on line %d
52array(2) {
53  [0]=>
54  object(obj2)#%d (1) {
55    ["ryat"]=>
56    int(1)
57  }
58  [1]=>
59  array(1) {
60    [0]=>
61    array(1) {
62      [0]=>
63      object(obj2)#%d (1) {
64        ["ryat"]=>
65        int(1)
66      }
67    }
68  }
69}
70