summaryrefslogtreecommitdiff
path: root/ext/json
diff options
context:
space:
mode:
authorJakub Zelenka <bukka@php.net>2017-08-10 19:40:02 +0100
committerJakub Zelenka <bukka@php.net>2017-08-10 19:40:02 +0100
commitf5b4cb7130e958eb7e68819353d81f8ff1117258 (patch)
treef68eed1579ad07835b8c3cb60c82a47b3ba2c0c1 /ext/json
parent4375a6c5cd3c7ff47f1de548587de0c85233e48b (diff)
downloadphp-git-f5b4cb7130e958eb7e68819353d81f8ff1117258.tar.gz
Fix possible overflow in json scanner utf8_invalid_count
Diffstat (limited to 'ext/json')
-rw-r--r--ext/json/json_scanner.c11
-rw-r--r--ext/json/json_scanner.re11
2 files changed, 18 insertions, 4 deletions
diff --git a/ext/json/json_scanner.c b/ext/json/json_scanner.c
index 786f3027d9..5bc4416e95 100644
--- a/ext/json/json_scanner.c
+++ b/ext/json/json_scanner.c
@@ -639,9 +639,16 @@ yy79:
yy80:
{
if (s->options & (PHP_JSON_INVALID_UTF8_IGNORE | PHP_JSON_INVALID_UTF8_SUBSTITUTE)) {
- int utf8_addition = (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) ? 3 : 0;
+ if (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) {
+ if (s->utf8_invalid_count > INT_MAX - 2) {
+ s->errcode = PHP_JSON_ERROR_UTF8;
+ return PHP_JSON_T_ERROR;
+ }
+ s->utf8_invalid_count += 2;
+ } else {
+ s->utf8_invalid_count--;
+ }
s->utf8_invalid = 1;
- s->utf8_invalid_count += utf8_addition - 1;
PHP_JSON_CONDITION_GOTO(STR_P1);
}
s->errcode = PHP_JSON_ERROR_UTF8;
diff --git a/ext/json/json_scanner.re b/ext/json/json_scanner.re
index e87790ac76..9d52307be9 100644
--- a/ext/json/json_scanner.re
+++ b/ext/json/json_scanner.re
@@ -281,9 +281,16 @@ std:
<STR_P1>UTF8 { PHP_JSON_CONDITION_GOTO(STR_P1); }
<STR_P1>ANY {
if (s->options & (PHP_JSON_INVALID_UTF8_IGNORE | PHP_JSON_INVALID_UTF8_SUBSTITUTE)) {
- int utf8_addition = (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) ? 3 : 0;
+ if (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) {
+ if (s->utf8_invalid_count > INT_MAX - 2) {
+ s->errcode = PHP_JSON_ERROR_UTF8;
+ return PHP_JSON_T_ERROR;
+ }
+ s->utf8_invalid_count += 2;
+ } else {
+ s->utf8_invalid_count--;
+ }
s->utf8_invalid = 1;
- s->utf8_invalid_count += utf8_addition - 1;
PHP_JSON_CONDITION_GOTO(STR_P1);
}
s->errcode = PHP_JSON_ERROR_UTF8;
View Lorry Controller Status