From 4831e150c5ada631c1480098b8a42cbf024d8899 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Tue, 23 Apr 2019 12:43:07 +0200 Subject: [PATCH] Fixed bug #77843 --- NEWS | 3 +++ ext/json/json_encoder.c | 12 ++++++++++-- ext/json/tests/bug77843.phpt | 25 +++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 ext/json/tests/bug77843.phpt diff --git a/NEWS b/NEWS index 859eb203cfd..d43e79e61c4 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,9 @@ PHP NEWS - FPM: . Fixed bug #77921 (static.php.net doesn't work anymore). (Peter Kokot) +- JSON: + . Fixed bug #77843 (Use after free with json serializer). (Nikita) + - Session: . Fixed bug #77911 (Wrong warning for session.sid_bits_per_character). (cmb) diff --git a/ext/json/json_encoder.c b/ext/json/json_encoder.c index 8e3eecc0d82..41632917158 100644 --- a/ext/json/json_encoder.c +++ b/ext/json/json_encoder.c @@ -542,8 +542,16 @@ again: return php_json_encode_serializable_object(buf, val, options, encoder); } /* fallthrough -- Non-serializable object */ - case IS_ARRAY: - return php_json_encode_array(buf, val, options, encoder); + case IS_ARRAY: { + /* Avoid modifications (and potential freeing) of the array through a reference when a + * jsonSerialize() method is invoked. */ + zval zv; + int res; + ZVAL_COPY(&zv, val); + res = php_json_encode_array(buf, &zv, options, encoder); + zval_ptr_dtor_nogc(&zv); + return res; + } case IS_REFERENCE: val = Z_REFVAL_P(val); diff --git a/ext/json/tests/bug77843.phpt b/ext/json/tests/bug77843.phpt new file mode 100644 index 00000000000..c525285bf5a --- /dev/null +++ b/ext/json/tests/bug77843.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #77843: Use after free with json serializer +--FILE-- + +--EXPECT-- +object(X)#1 (1) { + ["prop"]=> + string(5) "value" +} +string(20) "[[{"prop":"value"}]]"