diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-03-17 17:03:46 -0700 |
|---|---|---|
| committer | Julien Pauli <jpauli@php.net> | 2015-03-18 10:38:54 +0100 |
| commit | 2256ee4fa7b79bf4626cbe4e10d49fdab695e3ac (patch) | |
| tree | a2e38bc9812526de52e76bddb90207d476bceaca | |
| parent | b690be4d22c9651dd99ead087d3b808f12fa68fb (diff) | |
| download | php-git-2256ee4fa7b79bf4626cbe4e10d49fdab695e3ac.tar.gz | |
add test for bug #68976
| -rw-r--r-- | ext/standard/tests/serialize/bug68976.phpt | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt new file mode 100644 index 0000000000..a79a953a4a --- /dev/null +++ b/ext/standard/tests/serialize/bug68976.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #68976 Use After Free Vulnerability in unserialize() +--FILE-- +<?php +class evilClass { + public $name; + function __wakeup() { + unset($this->name); + } +} + +$fakezval = pack( + 'IIII', + 0x00100000, + 0x00000400, + 0x00000000, + 0x00000006 +); + +$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); + +for($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(evilClass)#1 (0) { + } + [1]=> + int(1) +} +===DONE=== |