add test for bug #68976

author: Stanislav Malyshev <stas@php.net> 2015-03-17 17:03:46 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-03-17 17:16:15 -0700
commit: 63c9f830b1aa8afc9748381fb407fde64ac8d301 (patch)
tree: f3a2cfab19f585a04e87b2ac913a1dd80815afc3 /ext
parent: 8a8264a29a9921c93a3ef767cd50e2da10484021 (diff)
download: php-git-63c9f830b1aa8afc9748381fb407fde64ac8d301.tar.gz
1 files changed, 37 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt
new file mode 100644
index 0000000000..a79a953a4a
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68976.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Bug #68976 Use After Free Vulnerability in unserialize()
+--FILE--
+<?php
+class evilClass {
+	public $name;
+	function __wakeup() {
+		unset($this->name);
+	}
+}
+
+$fakezval = pack(
+    'IIII',
+    0x00100000,
+    0x00000400,
+    0x00000000,
+    0x00000006 
+);
+
+$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
+
+for($i = 0; $i < 5; $i++) {
+    $v[$i] = $fakezval.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+  [0]=>
+  object(evilClass)#1 (0) {
+  }
+  [1]=>
+  int(1)
+}
+===DONE===
author	Stanislav Malyshev <stas@php.net>	2015-03-17 17:03:46 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-03-17 17:16:15 -0700
commit	63c9f830b1aa8afc9748381fb407fde64ac8d301 (patch)
tree	f3a2cfab19f585a04e87b2ac913a1dd80815afc3 /ext
parent	8a8264a29a9921c93a3ef767cd50e2da10484021 (diff)
download	php-git-63c9f830b1aa8afc9748381fb407fde64ac8d301.tar.gz