#
# Description: fix denial of service via malformed string to the json_decode API function.
# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15
#
Index: php5-5.2.4/ext/json/JSON_parser.c
===================================================================
--- php5-5.2.4.orig/ext/json/JSON_parser.c	2007-06-13 13:56:41.000000000 -0400
+++ php5-5.2.4/ext/json/JSON_parser.c	2009-04-17 08:12:58.000000000 -0400
@@ -494,9 +494,7 @@
     }
 */
             case -7:
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_OBJECT)
                 {
                     zval *mval;
                     smart_str_0(&buf);
@@ -566,9 +564,7 @@
 */
             case -5:
             {
-                if (type != -1 &&
-                    (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
-                     JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+                if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)
                 {
                     zval *mval;
                     smart_str_0(&buf);
Index: php5-5.2.4/ext/json/tests/001.phpt
===================================================================
--- php5-5.2.4.orig/ext/json/tests/001.phpt	2009-04-17 08:13:05.000000000 -0400
+++ php5-5.2.4/ext/json/tests/001.phpt	2009-04-17 08:13:30.000000000 -0400
@@ -16,6 +16,7 @@
 var_dump(json_decode("руссиш"));
 var_dump(json_decode("blah"));
 var_dump(json_decode(NULL));
+var_dump(json_decode('[1}'));
 var_dump(json_decode('{ "test": { "foo": "bar" } }'));
 var_dump(json_decode('{ "test": { "foo": "" } }'));
 var_dump(json_decode('{ "": { "foo": "" } }'));
@@ -38,6 +39,7 @@
 string(12) "руссиш"
 string(4) "blah"
 NULL
+NULL
 object(stdClass)#1 (1) {
   ["test"]=>
   object(stdClass)#2 (1) {