Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a buffer-overrun in SimpleParser
Summary: In the failure case, we might have already consumed the entire string.

Reviewed By: binliu19, ottoni

Differential Revision: D19610775

fbshipit-source-id: d387df15994a310f5a31cfbb5fa11679997f7ae7
  • Loading branch information
Mark Williams authored and facebook-github-bot committed Feb 20, 2020
1 parent dabd48c commit bd58667
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 2 deletions.
4 changes: 2 additions & 2 deletions hphp/runtime/ext/json/JSON_parser.cpp
Expand Up @@ -342,8 +342,8 @@ struct SimpleParser {
JSONContainerType container_type, bool is_tsimplejson) {
SimpleParser parser(inp, length, buf, container_type, is_tsimplejson);
bool ok = parser.parseValue();
parser.skipSpace();
if (!ok || parser.p != inp + length) {
if (!ok ||
(parser.skipSpace(), parser.p != inp + length)) {
// Unsupported, malformed, or trailing garbage. Release entire stack.
tvDecRefRange(buf, parser.top);
return false;
Expand Down
1 change: 1 addition & 0 deletions hphp/test/slow/ext_json/decode_crash.php
@@ -1,3 +1,4 @@
<?hh

var_dump(json_decode('"a"', false, 0, 0));
var_dump(json_decode('"abc', true, 1000, 0));
1 change: 1 addition & 0 deletions hphp/test/slow/ext_json/decode_crash.php.expect
@@ -1 +1,2 @@
NULL
NULL

0 comments on commit bd58667

Please sign in to comment.