Fix bug #68546 (json_decode cannot access property started with \0)

bukka · bukka · commit f3df3df8737a · 2015-06-21T15:30:33.000+01:00
diff --git a/NEWS b/NEWS
@@ -199,6 +199,8 @@ PHP                                                                        NEWS
     (JSON extension includes a problematic license statement). (Jakub Zelenka)
   . Fixed bug #68938 (json_decode() decodes empty string without error).
     (jeremy at bat-country dot us)
+  . Fixed bug #68546 (json_decode() Fatal error: Cannot access property
+    started with '\0'). (Jakub Zelenka)
 
 - LDAP
   . Fixed bug #47222 (Implement LDAP_OPT_DIAGNOSTIC_MESSAGE). (Andreas Heigl)
diff --git a/ext/json/json.c b/ext/json/json.c
@@ -121,6 +121,7 @@ static PHP_MINIT_FUNCTION(json)
 	REGISTER_LONG_CONSTANT("JSON_ERROR_RECURSION", PHP_JSON_ERROR_RECURSION, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("JSON_ERROR_INF_OR_NAN", PHP_JSON_ERROR_INF_OR_NAN, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("JSON_ERROR_UNSUPPORTED_TYPE", PHP_JSON_ERROR_UNSUPPORTED_TYPE, CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("JSON_ERROR_INVALID_PROPERTY_NAME", PHP_JSON_ERROR_INVALID_PROPERTY_NAME, CONST_CS | CONST_PERSISTENT);
 
 	REGISTER_LONG_CONSTANT("JSON_OBJECT_AS_ARRAY",		PHP_JSON_OBJECT_AS_ARRAY,		CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("JSON_BIGINT_AS_STRING",		PHP_JSON_BIGINT_AS_STRING,		CONST_CS | CONST_PERSISTENT);
@@ -300,6 +301,8 @@ static PHP_FUNCTION(json_last_error_msg)
 			RETURN_STRING("Inf and NaN cannot be JSON encoded");
 		case PHP_JSON_ERROR_UNSUPPORTED_TYPE:
 			RETURN_STRING("Type is not supported");
+		case PHP_JSON_ERROR_INVALID_PROPERTY_NAME:
+			RETURN_STRING("The decoded property name is invalid");
 		default:
 			RETURN_STRING("Unknown error");
 	}
diff --git a/ext/json/json_parser.tab.c b/ext/json/json_parser.tab.c
@@ -204,7 +204,7 @@ int php_json_yyparse (php_json_parser *parser);
 int php_json_yylex(union YYSTYPE *value, php_json_parser *parser);
 void php_json_yyerror(php_json_parser *parser, char const *msg);
 void php_json_parser_object_init(php_json_parser *parser, zval *object);
-void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue);
+int php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue);
 void php_json_parser_array_init(zval *object);
 void php_json_parser_array_append(zval *array, zval *zvalue);
 
@@ -515,9 +515,9 @@ static const yytype_uint8 yytranslate[] =
 static const yytype_uint8 yyrline[] =
 {
        0,    92,    92,    98,   105,   105,   113,   114,   123,   126,
-     130,   135,   140,   147,   152,   159,   159,   167,   168,   177,
-     180,   184,   189,   194,   201,   202,   206,   207,   208,   209,
-     210,   211,   212,   213,   214,   215,   219
+     130,   136,   142,   149,   154,   161,   161,   169,   170,   179,
+     182,   186,   191,   196,   203,   204,   208,   209,   210,   211,
+     212,   213,   214,   215,   216,   217,   221
 };
 #endif
 
@@ -1499,15 +1499,17 @@ YYSTYPE yylval YY_INITIAL_VALUE (= yyval_default);
 
     {
 				php_json_parser_object_init(parser, &(yyval.value));
-				php_json_parser_object_update(parser, &(yyval.value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val);
+				if (php_json_parser_object_update(parser, &(yyval.value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val) == FAILURE)
+					YYERROR;
 			}
 
     break;
 
   case 11:
 
     {
-				php_json_parser_object_update(parser, &(yyvsp[-2].value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val);
+				if (php_json_parser_object_update(parser, &(yyvsp[-2].value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val) == FAILURE)
+					YYERROR;
 				ZVAL_COPY_VALUE(&(yyval.value), &(yyvsp[-2].value));
 			}
 
@@ -1860,7 +1862,7 @@ void php_json_parser_object_init(php_json_parser *parser, zval *object)
 	}
 }
 
-void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue)
+int php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue)
 {
 	/* if JSON_OBJECT_AS_ARRAY is set */
 	if (Z_TYPE_P(object) == IS_ARRAY) {
@@ -1870,6 +1872,12 @@ void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_s
 		if (key->len == 0) {
 			zend_string_release(key);
 			key = zend_string_init("_empty_", sizeof("_empty_") - 1, 0);
+		} else if (key->val[0] == '\0') {
+			parser->scanner.errcode = PHP_JSON_ERROR_INVALID_PROPERTY_NAME;
+			zend_string_release(key);
+			zval_dtor(zvalue);
+			zval_dtor(object);
+			return FAILURE;
 		}
 		ZVAL_NEW_STR(&zkey, key);
 		zend_std_write_property(object, &zkey, zvalue, NULL); 
@@ -1879,6 +1887,8 @@ void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_s
 		}
 	}
 	zend_string_release(key);
+
+	return SUCCESS;
 }
 
 void php_json_parser_array_init(zval *array)
diff --git a/ext/json/json_parser.y b/ext/json/json_parser.y
@@ -73,7 +73,7 @@ int json_yydebug = 1;
 int php_json_yylex(union YYSTYPE *value, php_json_parser *parser);
 void php_json_yyerror(php_json_parser *parser, char const *msg);
 void php_json_parser_object_init(php_json_parser *parser, zval *object);
-void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue);
+int php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue);
 void php_json_parser_array_init(zval *object);
 void php_json_parser_array_append(zval *array, zval *zvalue);
 
@@ -130,11 +130,13 @@ member:
 		pair
 			{
 				php_json_parser_object_init(parser, &$$);
-				php_json_parser_object_update(parser, &$$, $1.key, &$1.val);
+				if (php_json_parser_object_update(parser, &$$, $1.key, &$1.val) == FAILURE)
+					YYERROR;
 			}
 	|	member ',' pair
 			{
-				php_json_parser_object_update(parser, &$1, $3.key, &$3.val);
+				if (php_json_parser_object_update(parser, &$1, $3.key, &$3.val) == FAILURE)
+					YYERROR;
 				ZVAL_COPY_VALUE(&$$, &$1);
 			}
 	|	member errlex
@@ -248,7 +250,7 @@ void php_json_parser_object_init(php_json_parser *parser, zval *object)
 	}
 }
 
-void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue)
+int php_json_parser_object_update(php_json_parser *parser, zval *object, zend_string *key, zval *zvalue)
 {
 	/* if JSON_OBJECT_AS_ARRAY is set */
 	if (Z_TYPE_P(object) == IS_ARRAY) {
@@ -258,6 +260,12 @@ void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_s
 		if (key->len == 0) {
 			zend_string_release(key);
 			key = zend_string_init("_empty_", sizeof("_empty_") - 1, 0);
+		} else if (key->val[0] == '\0') {
+			parser->scanner.errcode = PHP_JSON_ERROR_INVALID_PROPERTY_NAME;
+			zend_string_release(key);
+			zval_dtor(zvalue);
+			zval_dtor(object);
+			return FAILURE;
 		}
 		ZVAL_NEW_STR(&zkey, key);
 		zend_std_write_property(object, &zkey, zvalue, NULL); 
@@ -267,6 +275,8 @@ void php_json_parser_object_update(php_json_parser *parser, zval *object, zend_s
 		}
 	}
 	zend_string_release(key);
+
+	return SUCCESS;
 }
 
 void php_json_parser_array_init(zval *array)
diff --git a/ext/json/php_json.h b/ext/json/php_json.h
@@ -51,6 +51,7 @@ typedef enum {
 	PHP_JSON_ERROR_RECURSION,
 	PHP_JSON_ERROR_INF_OR_NAN,
 	PHP_JSON_ERROR_UNSUPPORTED_TYPE,
+	PHP_JSON_ERROR_INVALID_PROPERTY_NAME,
 	PHP_JSON_ERROR_UTF16
 } php_json_error_code;
 
diff --git a/ext/json/tests/bug68546.phpt b/ext/json/tests/bug68546.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #68546 (json_decode() Fatal error: Cannot access property started with '\0')
+--SKIPIF--
+<?php
+
+if (!extension_loaded('json')) die('skip');
+?>
+--FILE--
+<?php
+
+var_dump(json_decode('{"key": {"\u0000": "aa"}}'));
+var_dump(json_last_error() === JSON_ERROR_INVALID_PROPERTY_NAME);
+var_dump(json_decode('[{"key1": 0, "\u0000": 1}]'));
+var_dump(json_last_error() === JSON_ERROR_INVALID_PROPERTY_NAME);
+var_dump(json_last_error_msg());
+
+echo "Done\n";
+?>
+--EXPECTF--
+NULL
+bool(true)
+NULL
+bool(true)
+string(36) "The decoded property name is invalid"
+Done

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ int php_json_yyparse (php_json_parser *parser);`
`204`	`204`	`int php_json_yylex(union YYSTYPE value, php_json_parser parser);`
`205`	`205`	`void php_json_yyerror(php_json_parser parser, char const msg);`
`206`	`206`	`void php_json_parser_object_init(php_json_parser parser, zval object);`
`207`		`-void php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue);`
	`207`	`+int php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue);`
`208`	`208`	`void php_json_parser_array_init(zval *object);`
`209`	`209`	`void php_json_parser_array_append(zval array, zval zvalue);`
`210`	`210`
`@@ -515,9 +515,9 @@ static const yytype_uint8 yytranslate[] =`
`515`	`515`	`static const yytype_uint8 yyrline[] =`
`516`	`516`	`{`
`517`	`517`	`0, 92, 92, 98, 105, 105, 113, 114, 123, 126,`
`518`		`- 130, 135, 140, 147, 152, 159, 159, 167, 168, 177,`
`519`		`- 180, 184, 189, 194, 201, 202, 206, 207, 208, 209,`
`520`		`- 210, 211, 212, 213, 214, 215, 219`
	`518`	`+ 130, 136, 142, 149, 154, 161, 161, 169, 170, 179,`
	`519`	`+ 182, 186, 191, 196, 203, 204, 208, 209, 210, 211,`
	`520`	`+ 212, 213, 214, 215, 216, 217, 221`
`521`	`521`	`};`
`522`	`522`	`#endif`
`523`	`523`
`@@ -1499,15 +1499,17 @@ YYSTYPE yylval YY_INITIAL_VALUE (= yyval_default);`
`1499`	`1499`
`1500`	`1500`	`{`
`1501`	`1501`	`php_json_parser_object_init(parser, &(yyval.value));`
`1502`		`- php_json_parser_object_update(parser, &(yyval.value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val);`
	`1502`	`+ if (php_json_parser_object_update(parser, &(yyval.value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val) == FAILURE)`
	`1503`	`+ YYERROR;`
`1503`	`1504`	`}`
`1504`	`1505`
`1505`	`1506`	`break;`
`1506`	`1507`
`1507`	`1508`	`case 11:`
`1508`	`1509`
`1509`	`1510`	`{`
`1510`		`- php_json_parser_object_update(parser, &(yyvsp[-2].value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val);`
	`1511`	`+ if (php_json_parser_object_update(parser, &(yyvsp[-2].value), (yyvsp[0].pair).key, &(yyvsp[0].pair).val) == FAILURE)`
	`1512`	`+ YYERROR;`
`1511`	`1513`	`ZVAL_COPY_VALUE(&(yyval.value), &(yyvsp[-2].value));`
`1512`	`1514`	`}`
`1513`	`1515`
`@@ -1860,7 +1862,7 @@ void php_json_parser_object_init(php_json_parser parser, zval object)`
`1860`	`1862`	`}`
`1861`	`1863`	`}`
`1862`	`1864`
`1863`		`-void php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue)`
	`1865`	`+int php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue)`
`1864`	`1866`	`{`
`1865`	`1867`	`/* if JSON_OBJECT_AS_ARRAY is set */`
`1866`	`1868`	`if (Z_TYPE_P(object) == IS_ARRAY) {`
`@@ -1870,6 +1872,12 @@ void php_json_parser_object_update(php_json_parser parser, zval object, zend_s`
`1870`	`1872`	`if (key->len == 0) {`
`1871`	`1873`	`zend_string_release(key);`
`1872`	`1874`	`key = zend_string_init("_empty_", sizeof("_empty_") - 1, 0);`
	`1875`	`+ } else if (key->val[0] == '\0') {`
	`1876`	`+ parser->scanner.errcode = PHP_JSON_ERROR_INVALID_PROPERTY_NAME;`
	`1877`	`+ zend_string_release(key);`
	`1878`	`+ zval_dtor(zvalue);`
	`1879`	`+ zval_dtor(object);`
	`1880`	`+ return FAILURE;`
`1873`	`1881`	`}`
`1874`	`1882`	`ZVAL_NEW_STR(&zkey, key);`
`1875`	`1883`	`zend_std_write_property(object, &zkey, zvalue, NULL);`
`@@ -1879,6 +1887,8 @@ void php_json_parser_object_update(php_json_parser parser, zval object, zend_s`
`1879`	`1887`	`}`
`1880`	`1888`	`}`
`1881`	`1889`	`zend_string_release(key);`
	`1890`	`+`
	`1891`	`+ return SUCCESS;`
`1882`	`1892`	`}`
`1883`	`1893`
`1884`	`1894`	`void php_json_parser_array_init(zval *array)`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ int json_yydebug = 1;`
`73`	`73`	`int php_json_yylex(union YYSTYPE value, php_json_parser parser);`
`74`	`74`	`void php_json_yyerror(php_json_parser parser, char const msg);`
`75`	`75`	`void php_json_parser_object_init(php_json_parser parser, zval object);`
`76`		`-void php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue);`
	`76`	`+int php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue);`
`77`	`77`	`void php_json_parser_array_init(zval *object);`
`78`	`78`	`void php_json_parser_array_append(zval array, zval zvalue);`
`79`	`79`
`@@ -130,11 +130,13 @@ member:`
`130`	`130`	`pair`
`131`	`131`	`{`
`132`	`132`	`php_json_parser_object_init(parser, &$$);`
`133`		`- php_json_parser_object_update(parser, &$$, $1.key, &$1.val);`
	`133`	`+ if (php_json_parser_object_update(parser, &$$, $1.key, &$1.val) == FAILURE)`
	`134`	`+ YYERROR;`
`134`	`135`	`}`
`135`	`136`	`\| member ',' pair`
`136`	`137`	`{`
`137`		`- php_json_parser_object_update(parser, &$1, $3.key, &$3.val);`
	`138`	`+ if (php_json_parser_object_update(parser, &$1, $3.key, &$3.val) == FAILURE)`
	`139`	`+ YYERROR;`
`138`	`140`	`ZVAL_COPY_VALUE(&$$, &$1);`
`139`	`141`	`}`
`140`	`142`	`\| member errlex`
`@@ -248,7 +250,7 @@ void php_json_parser_object_init(php_json_parser parser, zval object)`
`248`	`250`	`}`
`249`	`251`	`}`
`250`	`252`
`251`		`-void php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue)`
	`253`	`+int php_json_parser_object_update(php_json_parser parser, zval object, zend_string key, zval zvalue)`
`252`	`254`	`{`
`253`	`255`	`/* if JSON_OBJECT_AS_ARRAY is set */`
`254`	`256`	`if (Z_TYPE_P(object) == IS_ARRAY) {`
`@@ -258,6 +260,12 @@ void php_json_parser_object_update(php_json_parser parser, zval object, zend_s`
`258`	`260`	`if (key->len == 0) {`
`259`	`261`	`zend_string_release(key);`
`260`	`262`	`key = zend_string_init("_empty_", sizeof("_empty_") - 1, 0);`
	`263`	`+ } else if (key->val[0] == '\0') {`
	`264`	`+ parser->scanner.errcode = PHP_JSON_ERROR_INVALID_PROPERTY_NAME;`
	`265`	`+ zend_string_release(key);`
	`266`	`+ zval_dtor(zvalue);`
	`267`	`+ zval_dtor(object);`
	`268`	`+ return FAILURE;`
`261`	`269`	`}`
`262`	`270`	`ZVAL_NEW_STR(&zkey, key);`
`263`	`271`	`zend_std_write_property(object, &zkey, zvalue, NULL);`
`@@ -267,6 +275,8 @@ void php_json_parser_object_update(php_json_parser parser, zval object, zend_s`
`267`	`275`	`}`
`268`	`276`	`}`
`269`	`277`	`zend_string_release(key);`
	`278`	`+`
	`279`	`+ return SUCCESS;`
`270`	`280`	`}`
`271`	`281`
`272`	`282`	`void php_json_parser_array_init(zval *array)`