Merge branch 'PHP-7.0' into PHP-7.1

2 files changed, 25 insertions, 0 deletions

diff --git a/ext/json/json.c b/ext/json/json.c
index e8b111b28c..2acfb5e79f 100644
--- a/ext/json/json.c
+++ b/ext/json/json.c
@@ -258,6 +258,16 @@ static PHP_FUNCTION(json_decode)
 		RETURN_NULL();
 	}
 
+	if (depth <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be greater than zero");
+		RETURN_NULL();
+	}
+
+	if (depth > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be lower than %d", INT_MAX);
+		RETURN_NULL();
+	}
+
 	/* For BC reasons, the bool $assoc overrides the long $options bit for PHP_JSON_OBJECT_AS_ARRAY */
 	if (assoc) {
 		options |=  PHP_JSON_OBJECT_AS_ARRAY;
diff --git a/ext/json/tests/bug72787.phpt b/ext/json/tests/bug72787.phpt
new file mode 100644
index 0000000000..c9820faa9f
--- /dev/null
+++ b/ext/json/tests/bug72787.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #72787 (json_decode reads out of bounds)
+--SKIPIF--
+<?php if (!extension_loaded("json")) print "skip"; ?>
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
+--FILE--
+<?php
+
+var_dump(json_decode('[]', false, 0x100000000));
+
+?>
+--EXPECTF--
+
+Warning: json_decode(): Depth must be lower than %d in %s on line %d
+NULL