diff options
author | Stanislav Malyshev <stas@php.net> | 2015-03-17 17:03:46 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-03-17 17:03:46 -0700 |
commit | 8b14d3052ffcffa17d6e2be652f20e18f8f562ad (patch) | |
tree | d984ee63666cf60ef02cc9079d99cf75cb758e0e | |
parent | 646572d6d3847d68124b03936719f60936b49a38 (diff) | |
download | php-git-8b14d3052ffcffa17d6e2be652f20e18f8f562ad.tar.gz |
add test for bug #68976
-rw-r--r-- | ext/standard/tests/serialize/bug68976.phpt | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt new file mode 100644 index 0000000000..a79a953a4a --- /dev/null +++ b/ext/standard/tests/serialize/bug68976.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #68976 Use After Free Vulnerability in unserialize() +--FILE-- +<?php +class evilClass { + public $name; + function __wakeup() { + unset($this->name); + } +} + +$fakezval = pack( + 'IIII', + 0x00100000, + 0x00000400, + 0x00000000, + 0x00000006 +); + +$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); + +for($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(evilClass)#1 (0) { + } + [1]=> + int(1) +} +===DONE=== |