Fixed bug #72170 (JsonSerializable may inc apply count without dec it)

I don't want use zend_try here, but seems I have no choice :<

diff --git a/NEWS b/NEWS
index fb88681b07823c7d2f62b002e15954fd15c23dd3..387822883658d8935b8b9ec91953ab2696cc0c86 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,8 @@ PHP                                                                        NEWS
   . Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)
 
 - JSON:
+  . Fixed bug #72170 (JsonSerializable may inc apply count without dec it).
+    (Laruence)
   . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
     (Laruence)
 

diff --git a/ext/json/json_encoder.c b/ext/json/json_encoder.c
index ae9e086fc05b54fe5755bc2705fa0644d8e34bc7..58ea67a04ad441c3c557d5dcd5f04115f8a3a916 100644 (file)
--- a/ext/json/json_encoder.c
+++ b/ext/json/json_encoder.c
@@ -157,26 +157,8 @@ static void php_json_encode_array(smart_str *buf, zval *val, int options) /* {{{
                                ZEND_HASH_INC_APPLY_COUNT(tmp_ht);
                        }
 
-                       if (r == PHP_JSON_OUTPUT_ARRAY) {
-                               if (need_comma) {
-                                       smart_str_appendc(buf, ',');
-                               } else {
-                                       need_comma = 1;
-                               }
-
-                               php_json_pretty_print_char(buf, options, '\n');
-                               php_json_pretty_print_indent(buf, options);
-                               php_json_encode(buf, data, options);
-                       } else if (r == PHP_JSON_OUTPUT_OBJECT) {
-                               if (key) {
-                                       if (ZSTR_VAL(key)[0] == '\0' && Z_TYPE_P(val) == IS_OBJECT) {
-                                               /* Skip protected and private members. */
-                                               if (tmp_ht && ZEND_HASH_APPLY_PROTECTION(tmp_ht)) {
-                                                       ZEND_HASH_DEC_APPLY_COUNT(tmp_ht);
-                                               }
-                                               continue;
-                                       }
-
+                       zend_try {
+                               if (r == PHP_JSON_OUTPUT_ARRAY) {
                                        if (need_comma) {
                                                smart_str_appendc(buf, ',');
                                        } else {
@@ -185,33 +167,58 @@ static void php_json_encode_array(smart_str *buf, zval *val, int options) /* {{{
 
                                        php_json_pretty_print_char(buf, options, '\n');
                                        php_json_pretty_print_indent(buf, options);
+                                       php_json_encode(buf, data, options);
+                               } else if (r == PHP_JSON_OUTPUT_OBJECT) {
+                                       if (key) {
+                                               if (ZSTR_VAL(key)[0] == '\0' && Z_TYPE_P(val) == IS_OBJECT) {
+                                                       /* Skip protected and private members. */
+                                                       if (tmp_ht && ZEND_HASH_APPLY_PROTECTION(tmp_ht)) {
+                                                               ZEND_HASH_DEC_APPLY_COUNT(tmp_ht);
+                                                       }
+                                                       continue;
+                                               }
 
-                                       php_json_escape_string(buf, ZSTR_VAL(key), ZSTR_LEN(key), options & ~PHP_JSON_NUMERIC_CHECK);
-                                       smart_str_appendc(buf, ':');
+                                               if (need_comma) {
+                                                       smart_str_appendc(buf, ',');
+                                               } else {
+                                                       need_comma = 1;
+                                               }
 
-                                       php_json_pretty_print_char(buf, options, ' ');
+                                               php_json_pretty_print_char(buf, options, '\n');
+                                               php_json_pretty_print_indent(buf, options);
 
-                                       php_json_encode(buf, data, options);
-                               } else {
-                                       if (need_comma) {
-                                               smart_str_appendc(buf, ',');
+                                               php_json_escape_string(buf, ZSTR_VAL(key), ZSTR_LEN(key), options & ~PHP_JSON_NUMERIC_CHECK);
+                                               smart_str_appendc(buf, ':');
+
+                                               php_json_pretty_print_char(buf, options, ' ');
+
+                                               php_json_encode(buf, data, options);
                                        } else {
-                                               need_comma = 1;
-                                       }
+                                               if (need_comma) {
+                                                       smart_str_appendc(buf, ',');
+                                               } else {
+                                                       need_comma = 1;
+                                               }
 
-                                       php_json_pretty_print_char(buf, options, '\n');
-                                       php_json_pretty_print_indent(buf, options);
+                                               php_json_pretty_print_char(buf, options, '\n');
+                                               php_json_pretty_print_indent(buf, options);
 
-                                       smart_str_appendc(buf, '"');
-                                       smart_str_append_long(buf, (zend_long) index);
-                                       smart_str_appendc(buf, '"');
-                                       smart_str_appendc(buf, ':');
+                                               smart_str_appendc(buf, '"');
+                                               smart_str_append_long(buf, (zend_long) index);
+                                               smart_str_appendc(buf, '"');
+                                               smart_str_appendc(buf, ':');
 
-                                       php_json_pretty_print_char(buf, options, ' ');
+                                               php_json_pretty_print_char(buf, options, ' ');
 
-                                       php_json_encode(buf, data, options);
+                                               php_json_encode(buf, data, options);
+                                       }
                                }
-                       }
+                       } zend_catch {
+                               if (tmp_ht && ZEND_HASH_APPLY_PROTECTION(tmp_ht)) {
+                                       ZEND_HASH_DEC_APPLY_COUNT(tmp_ht);
+                               }
+                               zend_bailout();
+                       } zend_end_try();
 
                        if (tmp_ht && ZEND_HASH_APPLY_PROTECTION(tmp_ht)) {
                                ZEND_HASH_DEC_APPLY_COUNT(tmp_ht);

diff --git a/ext/json/tests/bug72170.phpt b/ext/json/tests/bug72170.phpt
new file mode 100644 (file)
index 0000000..a7c25c2
--- /dev/null
+++ b/ext/json/tests/bug72170.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #72170 (JsonSerializable may inc apply count without dec it)
+--SKIPIF--
+<?php if (!extension_loaded("json")) print "skip"; ?>
+--FILE--
+<?php
+
+class Dummy implements JsonSerializable{
+       public function jsonSerialize() {
+               global $flag;
+               if ($flag) {
+                       exit;
+               } else {
+                       return "okey";
+               }
+       }
+}
+
+$array = array();
+$array[] = new Dummy;
+
+register_shutdown_function(function() use($array) {
+       global $flag;
+       $flag = 0;
+       var_dump(json_encode(array($array)));
+});
+
+$flag = 1;
+json_encode(array($array));
+?>
+--EXPECT--
+string(10) "[["okey"]]"