MFH: Invalid string causes segfault within json_decode()

Scott MacVicar · Scott MacVicar · commit 99614941d79d · 2008-12-19T02:13:41.000Z
diff --git a/NEWS b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   correctly with a non truecolour image, reported by Hamid Ebadi, APA Laboratory.
   (Fixes CVE-2008-5498) (Scott)
 
+- Fixed segfault when malformed string passed to json_decode(). (Scott)
+
 - Fixed bug #46889 (Memory leak in strtotime()). (Derick)
 - Fixed bug #46887 (Invalid calls to php_error_docref()).
   (oeriksson at mandriva dot com, Ilia)
diff --git a/ext/json/JSON_parser.c b/ext/json/JSON_parser.c
@@ -494,9 +494,7 @@ JSON_parser(zval *z, unsigned short p[], int length, int assoc TSRMLS_DC)
     }
 */
             case -7:
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_OBJECT)
                 {
                     zval *mval;
                     smart_str_0(&buf);
@@ -566,9 +564,7 @@ JSON_parser(zval *z, unsigned short p[], int length, int assoc TSRMLS_DC)
 */
             case -5:
             {
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)
                 {
                     zval *mval;
                     smart_str_0(&buf);
diff --git a/ext/json/tests/001.phpt b/ext/json/tests/001.phpt
@@ -16,6 +16,7 @@ var_dump(json_decode(";"));
 var_dump(json_decode("руссиш"));
 var_dump(json_decode("blah"));
 var_dump(json_decode(NULL));
+var_dump(json_decode('[1}'));
 var_dump(json_decode('{ "test": { "foo": "bar" } }'));
 var_dump(json_decode('{ "test": { "foo": "" } }'));
 var_dump(json_decode('{ "": { "foo": "" } }'));
@@ -38,6 +39,7 @@ string(1) ";"
 string(12) "руссиш"
 string(4) "blah"
 NULL
+NULL
 object(stdClass)#1 (1) {
   ["test"]=>
   object(stdClass)#2 (1) {

Original file line number	Diff line number	Diff line change
`@@ -494,9 +494,7 @@ JSON_parser(zval *z, unsigned short p[], int length, int assoc TSRMLS_DC)`
`494`	`494`	`}`
`495`	`495`	`*/`
`496`	`496`	`case -7:`
`497`		`- if (type != -1 &&`
`498`		`- (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT \|\|`
`499`		`- JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))`
	`497`	`+ if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_OBJECT)`
`500`	`498`	`{`
`501`	`499`	`zval *mval;`
`502`	`500`	`smart_str_0(&buf);`
`@@ -566,9 +564,7 @@ JSON_parser(zval *z, unsigned short p[], int length, int assoc TSRMLS_DC)`
`566`	`564`	`*/`
`567`	`565`	`case -5:`
`568`	`566`	`{`
`569`		`- if (type != -1 &&`
`570`		`- (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT \|\|`
`571`		`- JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))`
	`567`	`+ if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)`
`572`	`568`	`{`
`573`	`569`	`zval *mval;`
`574`	`570`	`smart_str_0(&buf);`