Merge branch 'PHP-5.6' into PHP-7.0

2024-09-22 02:17:32 +00:00 · 2016-08-14 14:00:35 +01:00 · 2016-08-14 14:00:35 +01:00 · 436d50a821
commit 436d50a821
parent 98787d9002 9f1d962ed6
2 changed files with 25 additions and 0 deletions
--- a/ext/json/json.c
+++ b/ext/json/json.c
@ -260,6 +260,16 @@ static PHP_FUNCTION(json_decode)
 		RETURN_NULL();
 	}

+	if (depth <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be greater than zero");
+		RETURN_NULL();
+	}
+
+	if (depth > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Depth must be lower than %d", INT_MAX);
+		RETURN_NULL();
+	}
+
 	/* For BC reasons, the bool $assoc overrides the long $options bit for PHP_JSON_OBJECT_AS_ARRAY */
 	if (assoc) {
 		options |=  PHP_JSON_OBJECT_AS_ARRAY;
--- a/ext/json/tests/bug72787.phpt
+++ b/ext/json/tests/bug72787.phpt
@ -0,0 +1,15 @@
+--TEST--
+Bug #72787 (json_decode reads out of bounds)
+--SKIPIF--
+<?php if (!extension_loaded("json")) print "skip"; ?>
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
+--FILE--
+<?php
+
+var_dump(json_decode('[]', false, 0x100000000));
+
+?>
+--EXPECTF--
+
+Warning: json_decode(): Depth must be lower than %d in %s on line %d
+NULL