From: Jakub Zelenka <bukka@php.net>
Date: Sun, 6 Aug 2017 16:20:31 +0000 (+0100)
Subject: Fix segfault in json ignoring of invalid UTF8
X-Git-Tag: php-7.2.0beta3~41
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=41d7621f48d78034755ccd540ade850eedc838c6;p=php

Fix segfault in json ignoring of invalid UTF8
---

diff --git a/ext/json/json_scanner.c b/ext/json/json_scanner.c
index 462a99d013..786f3027d9 100644
--- a/ext/json/json_scanner.c
+++ b/ext/json/json_scanner.c
@@ -292,6 +292,7 @@ yy14:
 			{
 		s->str_start = s->cursor;
 		s->str_esc = 0;
+		s->utf8_invalid_count = 0;
 		PHP_JSON_CONDITION_SET_AND_GOTO(STR_P1);
 	}
 yy16:
diff --git a/ext/json/json_scanner.re b/ext/json/json_scanner.re
index d26e035481..e87790ac76 100644
--- a/ext/json/json_scanner.re
+++ b/ext/json/json_scanner.re
@@ -209,6 +209,7 @@ std:
 	<JS>["]                  {
 		s->str_start = s->cursor;
 		s->str_esc = 0;
+		s->utf8_invalid_count = 0;
 		PHP_JSON_CONDITION_SET_AND_GOTO(STR_P1);
 	}
 	<JS>CTRL                 {
diff --git a/ext/json/tests/json_decode_invalid_utf8.phpt b/ext/json/tests/json_decode_invalid_utf8.phpt
index 725fe9be96..d92f785424 100644
--- a/ext/json/tests/json_decode_invalid_utf8.phpt
+++ b/ext/json/tests/json_decode_invalid_utf8.phpt
@@ -9,11 +9,17 @@ if (!extension_loaded("json")) print "skip";
 function json_decode_invalid_utf8($str) {
 	var_dump(json_decode($str));
 	var_dump(json_decode($str, true, 512, JSON_INVALID_UTF8_IGNORE));
-	var_dump(bin2hex(json_decode($str, true, 512, JSON_INVALID_UTF8_SUBSTITUTE)));
+	$json = json_decode($str, true, 512, JSON_INVALID_UTF8_SUBSTITUTE);
+	if (is_array($json)) {
+		var_dump(array_map(function($item) { return bin2hex($item); }, $json));
+	} else {
+		var_dump(bin2hex($json));
+	}
 }
 json_decode_invalid_utf8("\"a\xb0b\"");
 json_decode_invalid_utf8("\"a\xd0\xf2b\"");
 json_decode_invalid_utf8("\"\x61\xf0\x80\x80\x41\"");
+json_decode_invalid_utf8("[\"\xc1\xc1\",\"a\"]");
 echo "Done\n";
 ?>
 --EXPECT--
@@ -26,4 +32,17 @@ string(16) "61efbfbdefbfbd62"
 NULL
 string(2) "aA"
 string(22) "61efbfbdefbfbdefbfbd41"
+NULL
+array(2) {
+  [0]=>
+  string(0) ""
+  [1]=>
+  string(1) "a"
+}
+array(2) {
+  [0]=>
+  string(12) "efbfbdefbfbd"
+  [1]=>
+  string(2) "61"
+}
 Done