From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 10 Jul 2019 09:04:48 +0000 (+0200)
Subject: Simplify two unserialize() tests
X-Git-Tag: php-7.4.0beta1~183
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0c450967e14be4392551c32b2bdd807374aa10be;p=php

Simplify two unserialize() tests

unserialize() returns false for these now, so it doesn't make sense
to try and do something with the result.
---

diff --git a/ext/standard/tests/strings/bug72433.phpt b/ext/standard/tests/strings/bug72433.phpt
index 534b1e6ac6..f311022500 100644
--- a/ext/standard/tests/strings/bug72433.phpt
+++ b/ext/standard/tests/strings/bug72433.phpt
@@ -2,22 +2,9 @@
 Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
 --FILE--
 <?php
-// Fill any potential freed spaces until now.
-$filler = array();
-for($i = 0; $i < 100; $i++)
-	$filler[] = "";
-// Create our payload and unserialize it.
 $serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
-$free_me = unserialize($serialized_payload);
-// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
-$inc_ref_by_one = $free_me[2];
-// The call to gc_collect_cycles will free '$free_me'.
-gc_collect_cycles();
-// We now have multiple freed spaces. Fill all of them.
-$fill_freed_space_1 = "filler_zval_1";
-$fill_freed_space_2 = "filler_zval_2";
-var_dump($free_me);
+var_dump(unserialize($serialized_payload));
 ?>
 --EXPECTF--
-Notice: unserialize(): Error at offset %d of %d bytes in %sbug72433.php on line 8
+Notice: unserialize(): Error at offset %d of %d bytes in %sbug72433.php on line 3
 bool(false)
diff --git a/ext/standard/tests/strings/bug72663.phpt b/ext/standard/tests/strings/bug72663.phpt
index ec16e069ff..c9abd51b08 100644
--- a/ext/standard/tests/strings/bug72663.phpt
+++ b/ext/standard/tests/strings/bug72663.phpt
@@ -15,8 +15,7 @@ class obj implements Serializable {
 $inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}';
 $exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
 
-$data = unserialize($exploit);
-echo $data[1];
+var_dump(unserialize($exploit));
 ?>
 DONE
 --EXPECTF--
@@ -25,4 +24,5 @@ Notice: unserialize(): Unexpected end of serialized data in %sbug72663.php on li
 Notice: unserialize(): Error at offset 46 of 47 bytes in %sbug72663.php on line %d
 
 Notice: unserialize(): Error at offset 79 of 80 bytes in %sbug72663.php on line %d
+bool(false)
 DONE