From dabd48caf74995e605f1700344f1ff4a5d83441d Mon Sep 17 00:00:00 2001 From: Mark Williams Date: Thu, 20 Feb 2020 15:41:33 -0800 Subject: [PATCH] Fix a json_decode crash when depth==0 Summary: Setting depth=0 is an error, and should result in NULL, but we weren't checking for it, so in the case of a single, top-level string, we would reading the -1th element of the stack. Differential Revision: D19609959 fbshipit-source-id: 04ca1e0965e04b44df2d5c806a73c3da99ff66fb --- hphp/runtime/ext/json/JSON_parser.cpp | 4 ++++ hphp/test/slow/ext_json/decode_crash.php | 3 +++ hphp/test/slow/ext_json/decode_crash.php.expect | 1 + 3 files changed, 8 insertions(+) create mode 100644 hphp/test/slow/ext_json/decode_crash.php create mode 100644 hphp/test/slow/ext_json/decode_crash.php.expect diff --git a/hphp/runtime/ext/json/JSON_parser.cpp b/hphp/runtime/ext/json/JSON_parser.cpp index b1b4f51b2e5..5d3b3cfb25a 100644 --- a/hphp/runtime/ext/json/JSON_parser.cpp +++ b/hphp/runtime/ext/json/JSON_parser.cpp @@ -1148,6 +1148,10 @@ bool JSON_parser(Variant &z, const char *p, int length, bool const assoc, // they exceed kMaxPersistentStringBufferCapacity at exit or if the thread // is explicitly flushed (e.g., due to being idle). json->initSb(length); + if (depth <= 0) { + json->error_code = json_error_codes::JSON_ERROR_DEPTH; + return false; + } SCOPE_EXIT { constexpr int kMaxPersistentStringBufferCapacity = 256 * 1024; if (json->sb_cap > kMaxPersistentStringBufferCapacity) json->flushSb(); diff --git a/hphp/test/slow/ext_json/decode_crash.php b/hphp/test/slow/ext_json/decode_crash.php new file mode 100644 index 00000000000..9944145e454 --- /dev/null +++ b/hphp/test/slow/ext_json/decode_crash.php @@ -0,0 +1,3 @@ +