scottmac                Fri Dec 19 02:13:42 2008 UTC

  Modified files:              (Branch: PHP_5_2)
    /php-src/ext/json   JSON_parser.c 
    /php-src/ext/json/tests     001.phpt 
    /php-src    NEWS 
  Log:
  MFH: Invalid string causes segfault within json_decode()
  
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15&diff_format=u
Index: php-src/ext/json/JSON_parser.c
diff -u php-src/ext/json/JSON_parser.c:1.1.2.14 
php-src/ext/json/JSON_parser.c:1.1.2.15
--- php-src/ext/json/JSON_parser.c:1.1.2.14     Tue Dec  2 14:50:37 2008
+++ php-src/ext/json/JSON_parser.c      Fri Dec 19 02:13:41 2008
@@ -494,9 +494,7 @@
     }
 */
             case -7:
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == 
MODE_OBJECT)
                 {
                     zval *mval;
                     smart_str_0(&buf);
@@ -566,9 +564,7 @@
 */
             case -5:
             {
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)
                 {
                     zval *mval;
                     smart_str_0(&buf);
http://cvs.php.net/viewvc.cgi/php-src/ext/json/tests/001.phpt?r1=1.1.2.4&r2=1.1.2.5&diff_format=u
Index: php-src/ext/json/tests/001.phpt
diff -u php-src/ext/json/tests/001.phpt:1.1.2.4 
php-src/ext/json/tests/001.phpt:1.1.2.5
--- php-src/ext/json/tests/001.phpt:1.1.2.4     Fri Nov  3 13:16:33 2006
+++ php-src/ext/json/tests/001.phpt     Fri Dec 19 02:13:41 2008
@@ -16,6 +16,7 @@
 var_dump(json_decode("руссиш"));
 var_dump(json_decode("blah"));
 var_dump(json_decode(NULL));
+var_dump(json_decode('[1}'));
 var_dump(json_decode('{ "test": { "foo": "bar" } }'));
 var_dump(json_decode('{ "test": { "foo": "" } }'));
 var_dump(json_decode('{ "": { "foo": "" } }'));
@@ -38,6 +39,7 @@
 string(12) "руссиш"
 string(4) "blah"
 NULL
+NULL
 object(stdClass)#1 (1) {
   ["test"]=>
   object(stdClass)#2 (1) {
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1366&r2=1.2027.2.547.2.1367&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.1366 php-src/NEWS:1.2027.2.547.2.1367
--- php-src/NEWS:1.2027.2.547.2.1366    Thu Dec 18 21:05:55 2008
+++ php-src/NEWS        Fri Dec 19 02:13:41 2008
@@ -7,6 +7,8 @@
   correctly with a non truecolour image, reported by Hamid Ebadi, APA 
Laboratory.
   (Fixes CVE-2008-5498) (Scott)
 
+- Fixed segfault when malformed string passed to json_decode(). (Scott)
+
 - Fixed bug #46889 (Memory leak in strtotime()). (Derick)
 - Fixed bug #46887 (Invalid calls to php_error_docref()).
   (oeriksson at mandriva dot com, Ilia)



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to