MFH: Invalid string causes segfault within json_decode()

author Scott MacVicar <scottmac@php.net>

Fri, 19 Dec 2008 02:13:41 +0000 (02:13 +0000)

committer Scott MacVicar <scottmac@php.net>

Fri, 19 Dec 2008 02:13:41 +0000 (02:13 +0000)
author Scott MacVicar <scottmac@php.net>
Fri, 19 Dec 2008 02:13:41 +0000 (02:13 +0000)
committer Scott MacVicar <scottmac@php.net>
Fri, 19 Dec 2008 02:13:41 +0000 (02:13 +0000)
diff --git a/NEWS b/NEWS

index 8d20880d7a09cc2021e92bd5d42f8d22784e17e4..46fea173c74fb15277daad574c97b854a6b99d5a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
    correctly with a non truecolour image, reported by Hamid Ebadi, APA Laboratory.
    (Fixes CVE-2008-5498) (Scott)
  
+- Fixed segfault when malformed string passed to json_decode(). (Scott)
+
  - Fixed bug #46889 (Memory leak in strtotime()). (Derick)
  - Fixed bug #46887 (Invalid calls to php_error_docref()).
    (oeriksson at mandriva dot com, Ilia)
diff --git a/ext/json/JSON_parser.c b/ext/json/JSON_parser.c

index 972821a6e1cf605b5cd7b2a554260679698e9fe6..a88dde9fa78e2dfcc3df8deeaab146d4dfd74a03 100644 (file)
--- a/ext/json/JSON_parser.c
+++ b/ext/json/JSON_parser.c
@@ -494,9 +494,7 @@ JSON_parser(zval *z, unsigned short p[], int length, int assoc TSRMLS_DC)
      }
  */
              case -7:
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_OBJECT)
                  {
                      zval *mval;
                      smart_str_0(&buf);
@@ -566,9 +564,7 @@ JSON_parser(zval *z, unsigned short p[], int length, int assoc TSRMLS_DC)
  */
              case -5:
              {
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)
                  {
                      zval *mval;
                      smart_str_0(&buf);
diff --git a/ext/json/tests/001.phpt b/ext/json/tests/001.phpt

index 4c9f918b4888786c003d041bf0e345103679bb2f..fc687f28ca82fa49543afdc586c84ad23b9441fe 100644 (file)
--- a/ext/json/tests/001.phpt
+++ b/ext/json/tests/001.phpt
@@ -16,6 +16,7 @@ var_dump(json_decode(";"));
  var_dump(json_decode("руссиш"));
  var_dump(json_decode("blah"));
  var_dump(json_decode(NULL));
+var_dump(json_decode('[1}'));
  var_dump(json_decode('{ "test": { "foo": "bar" } }'));
  var_dump(json_decode('{ "test": { "foo": "" } }'));
  var_dump(json_decode('{ "": { "foo": "" } }'));
@@ -38,6 +39,7 @@ string(1) ";"
  string(12) "руссиш"
  string(4) "blah"
  NULL
+NULL
  object(stdClass)#1 (1) {
    ["test"]=>
    object(stdClass)#2 (1) {
author	Scott MacVicar <scottmac@php.net>
	Fri, 19 Dec 2008 02:13:41 +0000 (02:13 +0000)
committer	Scott MacVicar <scottmac@php.net>
	Fri, 19 Dec 2008 02:13:41 +0000 (02:13 +0000)
NEWS		patch \| blob \| history
ext/json/JSON_parser.c		patch \| blob \| history
ext/json/tests/001.phpt		patch \| blob \| history