Merge branch 'PHP-7.3' into PHP-7.4

2 files changed, 35 insertions, 2 deletions

diff --git a/ext/json/json_encoder.c b/ext/json/json_encoder.c
index 23825696b3..c0fcbe3282 100644
--- a/ext/json/json_encoder.c
+++ b/ext/json/json_encoder.c
@@ -567,8 +567,16 @@ again:
 				return php_json_encode_serializable_object(buf, val, options, encoder);
 			}
 			/* fallthrough -- Non-serializable object */
-		case IS_ARRAY:
-			return php_json_encode_array(buf, val, options, encoder);
+		case IS_ARRAY: {
+			/* Avoid modifications (and potential freeing) of the array through a reference when a
+			 * jsonSerialize() method is invoked. */
+			zval zv;
+			int res;
+			ZVAL_COPY(&zv, val);
+			res = php_json_encode_array(buf, &zv, options, encoder);
+			zval_ptr_dtor_nogc(&zv);
+			return res;
+		}
 
 		case IS_REFERENCE:
 			val = Z_REFVAL_P(val);
diff --git a/ext/json/tests/bug77843.phpt b/ext/json/tests/bug77843.phpt
new file mode 100644
index 0000000000..c525285bf5
--- /dev/null
+++ b/ext/json/tests/bug77843.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #77843: Use after free with json serializer
+--FILE--
+<?php
+
+class X implements JsonSerializable {
+    public $prop = "value";
+    public function jsonSerialize() {
+        global $arr;
+        unset($arr[0]);
+        var_dump($this);
+        return $this;
+    }
+}
+
+$arr = [new X()];
+var_dump(json_encode([&$arr]));
+
+?>
+--EXPECT--
+object(X)#1 (1) {
+  ["prop"]=>
+  string(5) "value"
+}
+string(20) "[[{"prop":"value"}]]"