summaryrefslogtreecommitdiff
path: root/ext/snmp/tests/bug72479.phpt
diff options
context:
space:
mode:
Diffstat (limited to 'ext/snmp/tests/bug72479.phpt')
-rw-r--r--ext/snmp/tests/bug72479.phpt35
1 files changed, 35 insertions, 0 deletions
diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt
new file mode 100644
index 0000000000..0308754360
--- /dev/null
+++ b/ext/snmp/tests/bug72479.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
+--SKIPIF--
+<?php
+require_once(dirname(__FILE__).'/skipif.inc');
+?>
+--FILE--
+<?php
+$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
+$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
+$out = unserialize($poc);
+gc_collect_cycles();
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+for ($i = 0; $i < 5; $i++) {
+ $v[$i] = $fakezval.$i;
+}
+var_dump($out[1]);
+
+function ptr2str($ptr)
+{
+ $out = '';
+ for ($i = 0; $i < 8; $i++) {
+ $out .= chr($ptr & 0xff);
+ $ptr >>= 8;
+ }
+ return $out;
+}
+?>
+--EXPECT--
+int(1) \ No newline at end of file
View Lorry Controller Status