Fix buffer overrun in SimpleParser::handleBackslash

Summary: It read 4 chars, then checked for validity, but any of them could have been the end of the string, so check after each one instead. Reviewed By: oulgen Differential Revision: D19611163 fbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4
facebook · Feb 20, 2020 · b367912 · b367912
1 parent bd58667
commit b367912
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/hphp/runtime/ext/json/JSON_parser.cpp b/hphp/runtime/ext/json/JSON_parser.cpp
@@ -453,12 +453,13 @@ struct SimpleParser {
       case 'u': {
         if (UNLIKELY(is_tsimplejson)) {
           auto const ch1 = *p++;
+          if (UNLIKELY(ch1 != '0')) return false;
           auto const ch2 = *p++;
+          if (UNLIKELY(ch2 != '0')) return false;
           auto const dch3 = dehexchar(*p++);
+          if (UNLIKELY(dch3 < 0)) return false;
           auto const dch4 = dehexchar(*p++);
-          if (UNLIKELY(ch1 != '0' || ch2 != '0' || dch3 < 0 || dch4 < 0)) {
-            return false;
-          }
+          if (UNLIKELY(dch4 < 0)) return false;
           out = (dch3 << 4) | dch4;
           return true;
         } else {

diff --git a/hphp/test/slow/ext_json/decode_crash.php b/hphp/test/slow/ext_json/decode_crash.php
@@ -2,3 +2,4 @@
 
 var_dump(json_decode('"a"', false, 0, 0));
 var_dump(json_decode('"abc', true, 1000, 0));
+var_dump(json_decode('"\\u', true, 1000, 17180393472));
diff --git a/hphp/test/slow/ext_json/decode_crash.php.expect b/hphp/test/slow/ext_json/decode_crash.php.expect
@@ -1,2 +1,3 @@
 NULL
 NULL
+NULL