Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a json_decode crash when depth==0
Summary:
Setting depth=0 is an error, and should result in NULL, but we weren't
checking for it, so in the case of a single, top-level string, we
would reading the -1th element of the stack.

Differential Revision: D19609959

fbshipit-source-id: 04ca1e0965e04b44df2d5c806a73c3da99ff66fb
  • Loading branch information
Mark Williams authored and facebook-github-bot committed Feb 20, 2020
1 parent db8bdb9 commit dabd48c
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 0 deletions.
4 changes: 4 additions & 0 deletions hphp/runtime/ext/json/JSON_parser.cpp
Expand Up @@ -1148,6 +1148,10 @@ bool JSON_parser(Variant &z, const char *p, int length, bool const assoc,
// they exceed kMaxPersistentStringBufferCapacity at exit or if the thread
// is explicitly flushed (e.g., due to being idle).
json->initSb(length);
if (depth <= 0) {
json->error_code = json_error_codes::JSON_ERROR_DEPTH;
return false;
}
SCOPE_EXIT {
constexpr int kMaxPersistentStringBufferCapacity = 256 * 1024;
if (json->sb_cap > kMaxPersistentStringBufferCapacity) json->flushSb();
Expand Down
3 changes: 3 additions & 0 deletions hphp/test/slow/ext_json/decode_crash.php
@@ -0,0 +1,3 @@
<?hh

var_dump(json_decode('"a"', false, 0, 0));
1 change: 1 addition & 0 deletions hphp/test/slow/ext_json/decode_crash.php.expect
@@ -0,0 +1 @@
NULL

0 comments on commit dabd48c

Please sign in to comment.