diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-09-01 00:26:12 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-09-01 00:26:12 -0700 |
| commit | c8f07ad4771620252bf542e09938633bfb837363 (patch) | |
| tree | 5b377555f4db1a7e1bac448287863d73a85949cd | |
| parent | 259057b2a484747a6c73ce54c4fa0f5acbd56179 (diff) | |
| download | php-git-c8f07ad4771620252bf542e09938633bfb837363.tar.gz | |
add test
| -rw-r--r-- | ext/spl/tests/bug70155.phpt | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/ext/spl/tests/bug70155.phpt b/ext/spl/tests/bug70155.phpt new file mode 100644 index 0000000000..1730a1a587 --- /dev/null +++ b/ext/spl/tests/bug70155.phpt @@ -0,0 +1,50 @@ +--TEST-- +SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject +--FILE-- +<?php +$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}'; +$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; +$data = unserialize($exploit); + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +object(ArrayObject)#1 (2) { + [0]=> + int(0) + ["storage":"ArrayObject":private]=> + object(DateInterval)#2 (15) { + ["y"]=> + int(3) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["days"]=> + int(-1) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) + } +} +===DONE=== |