From b3679121bb3c7017ff04b4c08402ffff5cf59b13 Mon Sep 17 00:00:00 2001
From: Mark Williams <mwilliams@fb.com>
Date: Thu, 20 Feb 2020 15:41:33 -0800
Subject: [PATCH] Fix buffer overrun in SimpleParser::handleBackslash

Summary:
It read 4 chars, then checked for validity, but any of them could have
been the end of the string, so check after each one instead.

Reviewed By: oulgen

Differential Revision: D19611163

fbshipit-source-id: 3da0a39555cb85a93f4fd98048368f17cf37e2e4
---
 hphp/runtime/ext/json/JSON_parser.cpp           | 7 ++++---
 hphp/test/slow/ext_json/decode_crash.php        | 1 +
 hphp/test/slow/ext_json/decode_crash.php.expect | 1 +
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/hphp/runtime/ext/json/JSON_parser.cpp b/hphp/runtime/ext/json/JSON_parser.cpp
index b8d52359368d4..f6bfbf696fcb0 100644
--- a/hphp/runtime/ext/json/JSON_parser.cpp
+++ b/hphp/runtime/ext/json/JSON_parser.cpp
@@ -453,12 +453,13 @@ struct SimpleParser {
       case 'u': {
         if (UNLIKELY(is_tsimplejson)) {
           auto const ch1 = *p++;
+          if (UNLIKELY(ch1 != '0')) return false;
           auto const ch2 = *p++;
+          if (UNLIKELY(ch2 != '0')) return false;
           auto const dch3 = dehexchar(*p++);
+          if (UNLIKELY(dch3 < 0)) return false;
           auto const dch4 = dehexchar(*p++);
-          if (UNLIKELY(ch1 != '0' || ch2 != '0' || dch3 < 0 || dch4 < 0)) {
-            return false;
-          }
+          if (UNLIKELY(dch4 < 0)) return false;
           out = (dch3 << 4) | dch4;
           return true;
         } else {
diff --git a/hphp/test/slow/ext_json/decode_crash.php b/hphp/test/slow/ext_json/decode_crash.php
index 003b886b2f423..4d7f4c20d2142 100644
--- a/hphp/test/slow/ext_json/decode_crash.php
+++ b/hphp/test/slow/ext_json/decode_crash.php
@@ -2,3 +2,4 @@
 
 var_dump(json_decode('"a"', false, 0, 0));
 var_dump(json_decode('"abc', true, 1000, 0));
+var_dump(json_decode('"\\u', true, 1000, 17180393472));
diff --git a/hphp/test/slow/ext_json/decode_crash.php.expect b/hphp/test/slow/ext_json/decode_crash.php.expect
index e2a4ea7d26ca5..00a53d981aaac 100644
--- a/hphp/test/slow/ext_json/decode_crash.php.expect
+++ b/hphp/test/slow/ext_json/decode_crash.php.expect
@@ -1,2 +1,3 @@
 NULL
 NULL
+NULL