Skip to content

Commit 494aa65

Browse files
committed
Merge branch 'PHP-8.4'
* PHP-8.4: Fix phpGH-15168: stack overflow in json_encode()
2 parents daa94cf + 95d691a commit 494aa65

File tree

2 files changed

+52
-0
lines changed

2 files changed

+52
-0
lines changed

ext/json/json_encoder.c

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,15 @@
3232

3333
static const char digits[] = "0123456789abcdef";
3434

35+
static zend_always_inline bool php_json_check_stack_limit(void)
36+
{
37+
#ifdef ZEND_CHECK_STACK_LIMIT
38+
return zend_call_stack_overflowed(EG(stack_limit));
39+
#else
40+
return false;
41+
#endif
42+
}
43+
3544
static int php_json_determine_array_type(zval *val) /* {{{ */
3645
{
3746
zend_array *myht = Z_ARRVAL_P(val);
@@ -117,6 +126,14 @@ static zend_result php_json_encode_array(smart_str *buf, zval *val, int options,
117126
HashTable *myht, *prop_ht;
118127
zend_refcounted *recursion_rc;
119128

129+
if (php_json_check_stack_limit()) {
130+
encoder->error_code = PHP_JSON_ERROR_DEPTH;
131+
if (options & PHP_JSON_PARTIAL_OUTPUT_ON_ERROR) {
132+
smart_str_appendl(buf, "null", 4);
133+
}
134+
return FAILURE;
135+
}
136+
120137
if (Z_TYPE_P(val) == IS_ARRAY) {
121138
myht = Z_ARRVAL_P(val);
122139
recursion_rc = (zend_refcounted *)myht;

ext/json/tests/gh15168.phpt

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
--TEST--
2+
GH-15168 (stack overflow in json_encode())
3+
--SKIPIF--
4+
<?php
5+
if (ini_get('zend.max_allowed_stack_size') === false) {
6+
die('skip No stack limit support');
7+
}
8+
?>
9+
--INI--
10+
zend.max_allowed_stack_size=512K
11+
--FILE--
12+
<?php
13+
14+
class Node
15+
{
16+
public $next;
17+
}
18+
19+
$firstNode = new Node();
20+
$node = $firstNode;
21+
for ($i = 0; $i < 30000; $i++) {
22+
$newNode = new Node();
23+
$node->next = $newNode;
24+
$node = $newNode;
25+
}
26+
27+
var_dump(json_encode($firstNode, depth: 500000));
28+
var_dump(json_last_error());
29+
var_dump(json_last_error_msg());
30+
31+
?>
32+
--EXPECT--
33+
bool(false)
34+
int(1)
35+
string(28) "Maximum stack depth exceeded"

0 commit comments

Comments
 (0)