--- /dev/null
+--TEST--
+__wakeup should be able to add dynamic properties without affecting other dynamic properties
+--FILE--
+<?php
+
+class Obj {
+ // Testing $this->a being a dynamic property.
+
+ function __construct($a) {
+ $this->a = $a;
+ }
+
+ public function __wakeup() {
+ echo "Calling __wakeup\n";
+ for ($i = 0; $i < 10000; $i++) {
+ $this->{'b' . $i} = 42;
+ }
+ }
+}
+
+function main() {
+ $obj = new stdClass();
+ $obj->test = 'foo';
+ $variable = [new Obj($obj), new Obj($obj)];
+ $serialized = serialize($variable);
+ printf("%s\n", $serialized);
+ $unserialized = unserialize($serialized);
+ for ($i = 0; $i < 10000; $i++) {
+ if ($unserialized[0]->{'b' . $i} !== 42) {
+ echo "Fail 0 b$i\n";
+ return;
+ }
+ if ($unserialized[1]->{'b' . $i} !== 42) {
+ echo "Fail 1 b$i\n";
+ return;
+ }
+ unset($unserialized[0]->{'b' . $i});
+ unset($unserialized[1]->{'b' . $i});
+ }
+ var_dump($unserialized);
+}
+main();
+--EXPECTF--
+a:2:{i:0;O:3:"Obj":1:{s:1:"a";O:8:"stdClass":1:{s:4:"test";s:3:"foo";}}i:1;O:3:"Obj":1:{s:1:"a";r:3;}}
+Calling __wakeup
+Calling __wakeup
+array(2) {
+ [0]=>
+ object(Obj)#%d (1) {
+ ["a"]=>
+ object(stdClass)#%d (1) {
+ ["test"]=>
+ string(3) "foo"
+ }
+ }
+ [1]=>
+ object(Obj)#%d (1) {
+ ["a"]=>
+ object(stdClass)#%d (1) {
+ ["test"]=>
+ string(3) "foo"
+ }
+ }
+}
--- /dev/null
+--TEST--
+__wakeup can replace a copy of the object referring to the root node.
+--FILE--
+<?php
+/* This bug never happened, but adding this test to make sure that further changes to unserialize don't allow freeing the root in __wakeup. */
+class Obj {
+ function __construct($a) {
+ $this->a = $a;
+ }
+
+ public function __wakeup() {
+ echo "Calling __wakeup\n";
+ $this->a = "replaced";
+ }
+}
+
+$a = new stdClass();
+$a->obj = new Obj($a);;
+$serialized = serialize($a);
+printf("%s\n", $serialized);
+$unserialized = unserialize($serialized);
+var_dump($unserialized);
+--EXPECTF--
+O:8:"stdClass":1:{s:3:"obj";O:3:"Obj":1:{s:1:"a";r:1;}}
+Calling __wakeup
+object(stdClass)#%d (1) {
+ ["obj"]=>
+ object(Obj)#%d (1) {
+ ["a"]=>
+ string(8) "replaced"
+ }
+}
--- /dev/null
+--TEST--
+__wakeup should be able to modify dynamic properties without affecting copies of those properties
+--FILE--
+<?php
+
+class Obj {
+ // Testing $this->a being a dynamic property.
+
+ function __construct($a) {
+ $this->a = $a;
+ }
+
+ public function __wakeup() {
+ echo "Calling __wakeup " . json_encode($this->a) . "\n";
+ $this->a = "roh";
+ }
+}
+
+function main() {
+ $obj = new stdClass();
+ $obj->c = null;
+ $variable = [new Obj($obj), new Obj($obj), $obj];
+ $serialized = serialize($variable);
+ printf("%s\n", $serialized);
+ $unserialized = unserialize($serialized);
+ var_dump($unserialized);
+}
+main();
+--EXPECTF--
+a:3:{i:0;O:3:"Obj":1:{s:1:"a";O:8:"stdClass":1:{s:1:"c";N;}}i:1;O:3:"Obj":1:{s:1:"a";r:3;}i:2;r:3;}
+Calling __wakeup {"c":null}
+Calling __wakeup {"c":null}
+array(3) {
+ [0]=>
+ object(Obj)#%d (1) {
+ ["a"]=>
+ string(3) "roh"
+ }
+ [1]=>
+ object(Obj)#%d (1) {
+ ["a"]=>
+ string(3) "roh"
+ }
+ [2]=>
+ object(stdClass)#%d (1) {
+ ["c"]=>
+ NULL
+ }
+}
--- /dev/null
+--TEST--
+Bug #73092: Unserialize use-after-free when resizing object's properties hash table
+--FILE--
+<?php
+
+class foo {
+ function __wakeup() {
+ $this->{'x'} = 1;
+ }
+}
+
+unserialize('a:3:{i:0;O:3:"foo":8:{i:0;i:0;i:1;i:1;i:2;i:2;i:3;i:3;i:4;i:4;i:5;i:5;i:6;i:6;i:7;i:7;}i:1;s:263:"'.str_repeat("\06", 263).'";i:2;r:3;}');
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
--- /dev/null
+--TEST--
+Bug #73092: Unserialize use-after-free when resizing object's properties hash table (2)
+--FILE--
+<?php
+class foo {
+ public $x;
+ function __wakeup() {
+ var_dump($this->x);
+ }
+}
+
+unserialize('a:3:{i:0;O:3:"foo":1:{s:1:"x";O:12:"DateInterval":1:{i:0;i:0;}}i:1;s:263:"'.str_repeat("\06", 263).'";i:2;r:4;}}');
+
+?>
+--EXPECTF--
+object(DateInterval)#%d (16) {
+ ["0"]=>
+ int(0)
+ ["y"]=>
+ int(-1)
+ ["m"]=>
+ int(-1)
+ ["d"]=>
+ int(-1)
+ ["h"]=>
+ int(-1)
+ ["i"]=>
+ int(-1)
+ ["s"]=>
+ int(-1)
+ ["weekday"]=>
+ int(-1)
+ ["weekday_behavior"]=>
+ int(-1)
+ ["first_last_day_of"]=>
+ int(-1)
+ ["invert"]=>
+ int(0)
+ ["days"]=>
+ int(-1)
+ ["special_type"]=>
+ int(0)
+ ["special_amount"]=>
+ int(-1)
+ ["have_weekday_relative"]=>
+ int(0)
+ ["have_special_relative"]=>
+ int(0)
+}
--- /dev/null
+--TEST--
+Bug #73367: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
+--FILE--
+<?php
+
+class obj {
+ var $ryat;
+ function __wakeup() {
+ $this->ryat = null;
+ echo "wakeup\n";
+ throw new Exception("Not a serializable object");
+ }
+ function __destruct() {
+ echo "dtor\n";
+ if ($this->ryat == 1) {
+ echo "dtor ryat==1\n";
+ }
+ }
+}
+
+$poc = 'O:3:"obj":2:{s:4:"ryat";i:1;i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
+try {
+ unserialize($poc);
+} catch (Exception $e) {
+ echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+wakeup
+Not a serializable object
--- /dev/null
+--TEST--
+Bug #73367: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization (2)
+--FILE--
+<?php
+
+class obj {
+ var $ryat;
+ function __wakeup() {
+ $this->ryat = null;
+ $this->foo = 'bar'; // $this should still be live here
+ echo "wakeup\n";
+ }
+}
+
+$poc = 'O:3:"obj":2:{s:4:"ryat";i:1;i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
+unserialize($poc);
+
+?>
+--EXPECT--
+wakeup
+wakeup
projects / php / commitdiff