2016-09-26 02:53:59 +00:00
|
|
|
--TEST--
|
|
|
|
Bug #73147: Use After Free in PHP7 unserialize()
|
|
|
|
--SKIPIF--
|
|
|
|
<?php
|
|
|
|
if (!extension_loaded("curl")) {
|
|
|
|
exit("skip curl extension not loaded");
|
|
|
|
}
|
|
|
|
?>
|
|
|
|
--FILE--
|
|
|
|
<?php
|
|
|
|
|
|
|
|
$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
|
|
|
|
try {
|
2018-11-26 12:20:51 +00:00
|
|
|
var_dump(unserialize($poc));
|
2016-09-26 02:53:59 +00:00
|
|
|
} catch(Exception $e) {
|
2018-11-26 12:20:51 +00:00
|
|
|
echo $e->getMessage();
|
2016-09-26 02:53:59 +00:00
|
|
|
}
|
|
|
|
?>
|
2018-11-26 12:20:51 +00:00
|
|
|
--EXPECTF--
|
|
|
|
Warning: Erroneous data format for unserializing 'CURLFile' in %s on line %d
|
|
|
|
|
|
|
|
Notice: unserialize(): Error at offset 27 of 44 bytes in %s on line %d
|
|
|
|
bool(false)
|