mirror of
https://github.com/php/php-src.git
synced 2026-03-28 18:22:42 +01:00
24 lines
894 B
PHP
24 lines
894 B
PHP
--TEST--
|
|
Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
|
|
--FILE--
|
|
<?php
|
|
// Fill any potential freed spaces until now.
|
|
$filler = array();
|
|
for($i = 0; $i < 100; $i++)
|
|
$filler[] = "";
|
|
// Create our payload and unserialize it.
|
|
$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
|
|
$free_me = unserialize($serialized_payload);
|
|
// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
|
|
$inc_ref_by_one = $free_me[2];
|
|
// The call to gc_collect_cycles will free '$free_me'.
|
|
gc_collect_cycles();
|
|
// We now have multiple freed spaces. Fill all of them.
|
|
$fill_freed_space_1 = "filler_zval_1";
|
|
$fill_freed_space_2 = "filler_zval_2";
|
|
var_dump($free_me);
|
|
?>
|
|
--EXPECTF--
|
|
Notice: unserialize(): Error at offset %d of %d bytes in %sbug72433.php on line 8
|
|
bool(false)
|