diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-03-17 17:03:46 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-03-17 17:16:15 -0700 |
| commit | 63c9f830b1aa8afc9748381fb407fde64ac8d301 (patch) | |
| tree | f3a2cfab19f585a04e87b2ac913a1dd80815afc3 | |
| parent | 8a8264a29a9921c93a3ef767cd50e2da10484021 (diff) | |
| download | php-git-63c9f830b1aa8afc9748381fb407fde64ac8d301.tar.gz | |
add test for bug #68976
| -rw-r--r-- | ext/standard/tests/serialize/bug68976.phpt | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt new file mode 100644 index 0000000000..a79a953a4a --- /dev/null +++ b/ext/standard/tests/serialize/bug68976.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #68976 Use After Free Vulnerability in unserialize() +--FILE-- +<?php +class evilClass { + public $name; + function __wakeup() { + unset($this->name); + } +} + +$fakezval = pack( + 'IIII', + 0x00100000, + 0x00000400, + 0x00000000, + 0x00000006 +); + +$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); + +for($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(evilClass)#1 (0) { + } + [1]=> + int(1) +} +===DONE=== |