Update UAF tests that relied on serializing SNMP and ZipArchive

iliaal · iliaal · commit b668c21a67d9 · 2026-04-09T15:04:30.000-04:00
bug72479.phpt and bug72434.phpt tested UAF vulnerabilities through
unserialize(). With NOT_SERIALIZABLE, unserialize() rejects these
classes entirely, preventing the UAF by construction. Update tests
to verify the rejection.
diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt
@@ -10,28 +10,12 @@ require_once(__DIR__.'/skipif.inc');
 <?php
 $arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
 $poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
-$out = unserialize($poc);
-gc_collect_cycles();
-$fakezval = ptr2str(1122334455);
-$fakezval .= ptr2str(0);
-$fakezval .= "\x00\x00\x00\x00";
-$fakezval .= "\x01";
-$fakezval .= "\x00";
-$fakezval .= "\x00\x00";
-for ($i = 0; $i < 5; $i++) {
-    $v[$i] = $fakezval.$i;
-}
-var_dump($out[1]);
-
-function ptr2str($ptr)
-{
-    $out = '';
-    for ($i = 0; $i < 8; $i++) {
-        $out .= chr($ptr & 0xff);
-        $ptr >>= 8;
-    }
-    return $out;
+try {
+    $out = unserialize($poc);
+    var_dump($out);
+} catch (Exception $e) {
+    echo $e->getMessage() . "\n";
 }
 ?>
 --EXPECT--
-int(1)
+Unserialization of 'SNMP' is not allowed
diff --git a/ext/standard/tests/strings/bug72434.phpt b/ext/standard/tests/strings/bug72434.phpt
@@ -1,29 +1,17 @@
 --TEST--
 Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
+--EXTENSIONS--
+zip
 --FILE--
 <?php
-// The following array will be serialized and this representation will be freed later on.
 $free_me = array(new StdClass());
-// Create our payload and unserialize it.
 $serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
-$unserialized_payload = unserialize($serialized_payload);
-gc_collect_cycles();
-// The reference counter for $free_me is at -1 for PHP 7 right now.
-// Increment the reference counter by 1 -> rc is 0
-$a = $unserialized_payload[1];
-// Increment the reference counter by 1 again -> rc is 1
-$b = $a;
-// Trigger free of $free_me (referenced by $m[1]).
-unset($b);
-$fill_freed_space_1 = "filler_zval_1";
-$fill_freed_space_2 = "filler_zval_2";
-$fill_freed_space_3 = "filler_zval_3";
-$fill_freed_space_4 = "filler_zval_4";
-debug_zval_dump($unserialized_payload[1]);
-?>
---EXPECTF--
-array(1) refcount(3){
-  [0]=>
-  object(stdClass)#%d (0) refcount(1){
-  }
+try {
+    $unserialized_payload = unserialize($serialized_payload);
+    var_dump($unserialized_payload);
+} catch (Exception $e) {
+    echo $e->getMessage() . "\n";
 }
+?>
+--EXPECT--
+Unserialization of 'ZipArchive' is not allowed
