Fix possible overflow in json scanner utf8_invalid_count

author Jakub Zelenka <bukka@php.net>

Thu, 10 Aug 2017 18:40:02 +0000 (19:40 +0100)

committer Jakub Zelenka <bukka@php.net>

Thu, 10 Aug 2017 18:40:02 +0000 (19:40 +0100)
author Jakub Zelenka <bukka@php.net>
Thu, 10 Aug 2017 18:40:02 +0000 (19:40 +0100)
committer Jakub Zelenka <bukka@php.net>
Thu, 10 Aug 2017 18:40:02 +0000 (19:40 +0100)
diff --git a/ext/json/json_scanner.c b/ext/json/json_scanner.c

index 786f3027d9a032215fa502c4b3b05f28f76a7de8..5bc4416e95c8ebeb1c6bc6342e6fd27c6cec9c3a 100644 (file)
--- a/ext/json/json_scanner.c
+++ b/ext/json/json_scanner.c
@@ -639,9 +639,16 @@ yy79:
  yy80:
                 {
                 if (s->options & (PHP_JSON_INVALID_UTF8_IGNORE | PHP_JSON_INVALID_UTF8_SUBSTITUTE)) {
-                       int utf8_addition = (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) ? 3 : 0;
+                       if (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) {
+                               if (s->utf8_invalid_count > INT_MAX - 2) {
+                                       s->errcode = PHP_JSON_ERROR_UTF8;
+                                       return PHP_JSON_T_ERROR;
+                               }
+                               s->utf8_invalid_count += 2;
+                       } else {
+                               s->utf8_invalid_count--;
+                       }
                         s->utf8_invalid = 1;
-                       s->utf8_invalid_count += utf8_addition - 1;
                         PHP_JSON_CONDITION_GOTO(STR_P1);
                 }
                 s->errcode = PHP_JSON_ERROR_UTF8;
diff --git a/ext/json/json_scanner.re b/ext/json/json_scanner.re

index e87790ac769cc084daa1123f69fec161160fe499..9d52307be98db9f8bb17e9613d2bc1ae2946187c 100644 (file)
--- a/ext/json/json_scanner.re
+++ b/ext/json/json_scanner.re
@@ -281,9 +281,16 @@ std:
         <STR_P1>UTF8             { PHP_JSON_CONDITION_GOTO(STR_P1); }
         <STR_P1>ANY              {
                 if (s->options & (PHP_JSON_INVALID_UTF8_IGNORE | PHP_JSON_INVALID_UTF8_SUBSTITUTE)) {
-                       int utf8_addition = (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) ? 3 : 0;
+                       if (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) {
+                               if (s->utf8_invalid_count > INT_MAX - 2) {
+                                       s->errcode = PHP_JSON_ERROR_UTF8;
+                                       return PHP_JSON_T_ERROR;
+                               }
+                               s->utf8_invalid_count += 2;
+                       } else {
+                               s->utf8_invalid_count--;
+                       }
                         s->utf8_invalid = 1;
-                       s->utf8_invalid_count += utf8_addition - 1;
                         PHP_JSON_CONDITION_GOTO(STR_P1);
                 }
                 s->errcode = PHP_JSON_ERROR_UTF8;
author	Jakub Zelenka <bukka@php.net>
	Thu, 10 Aug 2017 18:40:02 +0000 (19:40 +0100)
committer	Jakub Zelenka <bukka@php.net>
	Thu, 10 Aug 2017 18:40:02 +0000 (19:40 +0100)
ext/json/json_scanner.c		patch \| blob \| history
ext/json/json_scanner.re		patch \| blob \| history