Fixed bug #72787 (json_decode reads out of bounds)

author: Jakub Zelenka <bukka@php.net> 2016-08-14 13:52:59 +0100
committer: Jakub Zelenka <bukka@php.net> 2016-08-14 13:52:59 +0100
commit: 9f1d962ed6057a3996f1b5aa82467a3172e41e8f (patch)
tree: ce85d15b2854cf5398ede4b84faaf6ceb96d7a11 /ext/json/json.c
parent: dfadc5a427b548cab2b7c037c05f65684e08a248 (diff)
download: php-git-9f1d962ed6057a3996f1b5aa82467a3172e41e8f.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/ext/json/json.c b/ext/json/json.c
index 634d6e55f5..8c4d20fb2a 100644
--- a/ext/json/json.c
+++ b/ext/json/json.c
@@ -704,6 +704,12 @@ PHP_JSON_API void php_json_decode_ex(zval *return_value, char *str, int str_len,
 		RETURN_NULL();
 	}
 
+	if (depth > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be lower than %d", INT_MAX);
+		efree(utf16);
+		RETURN_NULL();
+	}
+
 	ALLOC_INIT_ZVAL(z);
 	jp = new_JSON_parser(depth);
 	if (parse_JSON_ex(jp, z, utf16, utf16_len, options TSRMLS_CC)) {
author	Jakub Zelenka <bukka@php.net>	2016-08-14 13:52:59 +0100
committer	Jakub Zelenka <bukka@php.net>	2016-08-14 13:52:59 +0100
commit	9f1d962ed6057a3996f1b5aa82467a3172e41e8f (patch)
tree	ce85d15b2854cf5398ede4b84faaf6ceb96d7a11 /ext/json/json.c
parent	dfadc5a427b548cab2b7c037c05f65684e08a248 (diff)
download	php-git-9f1d962ed6057a3996f1b5aa82467a3172e41e8f.tar.gz