diff options
Diffstat (limited to 'ext/json')
| -rw-r--r-- | ext/json/json.c | 6 | ||||
| -rw-r--r-- | ext/json/tests/bug72787.phpt | 15 |
2 files changed, 21 insertions, 0 deletions
diff --git a/ext/json/json.c b/ext/json/json.c index 634d6e55f5..8c4d20fb2a 100644 --- a/ext/json/json.c +++ b/ext/json/json.c @@ -704,6 +704,12 @@ PHP_JSON_API void php_json_decode_ex(zval *return_value, char *str, int str_len, RETURN_NULL(); } + if (depth > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be lower than %d", INT_MAX); + efree(utf16); + RETURN_NULL(); + } + ALLOC_INIT_ZVAL(z); jp = new_JSON_parser(depth); if (parse_JSON_ex(jp, z, utf16, utf16_len, options TSRMLS_CC)) { diff --git a/ext/json/tests/bug72787.phpt b/ext/json/tests/bug72787.phpt new file mode 100644 index 0000000000..c9820faa9f --- /dev/null +++ b/ext/json/tests/bug72787.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #72787 (json_decode reads out of bounds) +--SKIPIF-- +<?php if (!extension_loaded("json")) print "skip"; ?> +<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?> +--FILE-- +<?php + +var_dump(json_decode('[]', false, 0x100000000)); + +?> +--EXPECTF-- + +Warning: json_decode(): Depth must be lower than %d in %s on line %d +NULL |