| Server IP : 79.136.114.73 / Your IP : 216.73.216.25 Web Server : Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.29 OpenSSL/1.0.1f System : Linux b8009 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:40:49 UTC 2019 x86_64 User : www-data ( 33) PHP Version : 5.5.9-1ubuntu4.29 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /proc/self/root/home/b8009/php-5.6.22/ext/wddx/tests/ |
Upload File : |
--TEST--
Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
--SKIPIF--
<?php
if (!extension_loaded("wddx")) print "skip";
?>
--FILE--
<?php
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$x = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
<header/>
<data>
<struct>
<recordset rowCount='1' fieldNames='ryat'>
<field name='ryat'>
<var name='php_class_name'>
<string>stdClass</string>
</var>
<null/>
</field>
</recordset>
</struct>
</data>
</wddxPacket>
EOT;
$y = wddx_deserialize($x);
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($y);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
DONE
--EXPECTF--
array(1) {
[0]=>
array(1) {
["ryat"]=>
array(2) {
["php_class_name"]=>
string(8) "stdClass"
[0]=>
NULL
}
}
}
DONE