diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-03-17 17:03:46 -0700 |
|---|---|---|
| committer | Ferenc Kovacs <tyrael@php.net> | 2015-03-19 00:55:09 +0100 |
| commit | 0197082b8eb9e7eac8b06af0e92c7e2f43e2afa6 (patch) | |
| tree | 03d63dd6a3ca1668a444b077570ebda5ac3ec367 | |
| parent | 10198311a8a4f4d32988f0cce7d75b7e34f5ad38 (diff) | |
| download | php-git-0197082b8eb9e7eac8b06af0e92c7e2f43e2afa6.tar.gz | |
add test for bug #68976
| -rw-r--r-- | ext/standard/tests/serialize/bug68976.phpt | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt new file mode 100644 index 0000000000..a79a953a4a --- /dev/null +++ b/ext/standard/tests/serialize/bug68976.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #68976 Use After Free Vulnerability in unserialize() +--FILE-- +<?php +class evilClass { + public $name; + function __wakeup() { + unset($this->name); + } +} + +$fakezval = pack( + 'IIII', + 0x00100000, + 0x00000400, + 0x00000000, + 0x00000006 +); + +$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); + +for($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(evilClass)#1 (0) { + } + [1]=> + int(1) +} +===DONE=== |