PHP  
 PHP_7_2
downloads | QA | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | my php.net 
 

Expected Test Failure Report for ext/standard/tests/serialize/bug70219.phpt ('Bug #70219 Use after free vulnerability in session deserializer')

Script

1: <?php
2:
class obj implements Serializable {
3:     var 
$data;
4:     function 
serialize() {
5:         return 
serialize($this->data);
6:     }
7:     function 
unserialize($data) {
8:         
session_start();
9:         
session_decode($data);
10:     }
11: }
12:
13:
$inner 'ryat|a:1:{i:0;a:1:{i:1;';
14:
$exploit 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
15:
16:
$data unserialize($exploit);
17:
18: for (
$i 0$i 5$i++) {
19:     
$v[$i] = 'hi'.$i;
20: }
21:
22:
var_dump($data);    
23:
?>
24:

Expected

Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
array(2) {
  [0]=>
  object(obj)#%d (1) {
    ["data"]=>
    NULL
  }
  [1]=>
  &array(1) {
    ["data"]=>
    NULL
  }
}

Output

Warning: session_decode(): Failed to decode session object. Session has been destroyed in /var/php_gcov/PHP_7_2/ext/standard/tests/serialize/bug70219.php on line 9

Notice: unserialize(): Error at offset 55 of 56 bytes in /var/php_gcov/PHP_7_2/ext/standard/tests/serialize/bug70219.php on line 16
bool(false)

Diff

002+ 
003+ Notice: unserialize(): Error at offset 55 of 56 bytes in /var/php_gcov/PHP_7_2/ext/standard/tests/serialize/bug70219.php on line 16
004+ bool(false)
002- array(2) {
003-   [0]=>
004-   object(obj)#%d (1) {
005-     ["data"]=>
006-     NULL
007-   }
008-   [1]=>
009-   &array(1) {
010-     ["data"]=>
011-     NULL
012-   }
013- }

 

Generated at Sat, 09 Dec 2017 10:21:20 +0000 (2 days ago)

Copyright © 2005-2017 The PHP Group
All rights reserved.