mirror of
https://github.com/php/php-src.git
synced 2024-09-23 19:07:26 +00:00
add test for bug #68976
This commit is contained in:
Stanislav Malyshev
parent
8a8264a29a
commit
63c9f830b1
37
ext/standard/tests/serialize/bug68976.phpt
Normal file
37
ext/standard/tests/serialize/bug68976.phpt
Normal file
@ -0,0 +1,37 @@
|
||||
--TEST--
|
||||
Bug #68976 Use After Free Vulnerability in unserialize()
|
||||
--FILE--
|
||||
<?php
|
||||
class evilClass {
|
||||
public $name;
|
||||
function __wakeup() {
|
||||
unset($this->name);
|
||||
}
|
||||
}
|
||||
|
||||
$fakezval = pack(
|
||||
'IIII',
|
||||
0x00100000,
|
||||
0x00000400,
|
||||
0x00000000,
|
||||
0x00000006
|
||||
);
|
||||
|
||||
$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
|
||||
|
||||
for($i = 0; $i < 5; $i++) {
|
||||
$v[$i] = $fakezval.$i;
|
||||
}
|
||||
|
||||
var_dump($data);
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
array(2) {
|
||||
[0]=>
|
||||
object(evilClass)#1 (0) {
|
||||
}
|
||||
[1]=>
|
||||
int(1)
|
||||
}
|
||||
===DONE===
|
||||
Loading…
Reference in New Issue
Block a user