Fixed bug #72787 (json_decode reads out of bounds)

3 files changed, 24 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index ccafb63991..6a4fa5001e 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with
     require_ssl_reuse). (Benedict Singer)
 
+- JSON:
+  . Fixed bug #72787 (json_decode reads out of bounds). (Jakub Zelenka)
+
 - MSSQL:
   . Fixed bug #72039 (Use of uninitialised value on mssql_guid_string). (Kalle)
 
diff --git a/ext/json/json.c b/ext/json/json.c
index 634d6e55f5..8c4d20fb2a 100644
--- a/ext/json/json.c
+++ b/ext/json/json.c
@@ -704,6 +704,12 @@ PHP_JSON_API void php_json_decode_ex(zval *return_value, char *str, int str_len,
 		RETURN_NULL();
 	}
 
+	if (depth > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be lower than %d", INT_MAX);
+		efree(utf16);
+		RETURN_NULL();
+	}
+
 	ALLOC_INIT_ZVAL(z);
 	jp = new_JSON_parser(depth);
 	if (parse_JSON_ex(jp, z, utf16, utf16_len, options TSRMLS_CC)) {
diff --git a/ext/json/tests/bug72787.phpt b/ext/json/tests/bug72787.phpt
new file mode 100644
index 0000000000..c9820faa9f
--- /dev/null
+++ b/ext/json/tests/bug72787.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #72787 (json_decode reads out of bounds)
+--SKIPIF--
+<?php if (!extension_loaded("json")) print "skip"; ?>
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
+--FILE--
+<?php
+
+var_dump(json_decode('[]', false, 0x100000000));
+
+?>
+--EXPECTF--
+
+Warning: json_decode(): Depth must be lower than %d in %s on line %d
+NULL