1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#
# Description: fix denial of service via malformed string to the json_decode API function.
# Patch: http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15
#
Index: php5-5.2.4/ext/json/JSON_parser.c
===================================================================
--- php5-5.2.4.orig/ext/json/JSON_parser.c 2007-06-13 13:56:41.000000000 -0400
+++ php5-5.2.4/ext/json/JSON_parser.c 2009-04-17 08:12:58.000000000 -0400
@@ -494,9 +494,7 @@
}
*/
case -7:
- if (type != -1 &&
- (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
- JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+ if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_OBJECT)
{
zval *mval;
smart_str_0(&buf);
@@ -566,9 +564,7 @@
*/
case -5:
{
- if (type != -1 &&
- (JSON(the_stack)[JSON(the_top)] == MODE_OBJECT ||
- JSON(the_stack)[JSON(the_top)] == MODE_ARRAY))
+ if (type != -1 && JSON(the_stack)[JSON(the_top)] == MODE_ARRAY)
{
zval *mval;
smart_str_0(&buf);
Index: php5-5.2.4/ext/json/tests/001.phpt
===================================================================
--- php5-5.2.4.orig/ext/json/tests/001.phpt 2009-04-17 08:13:05.000000000 -0400
+++ php5-5.2.4/ext/json/tests/001.phpt 2009-04-17 08:13:30.000000000 -0400
@@ -16,6 +16,7 @@
var_dump(json_decode("руссиш"));
var_dump(json_decode("blah"));
var_dump(json_decode(NULL));
+var_dump(json_decode('[1}'));
var_dump(json_decode('{ "test": { "foo": "bar" } }'));
var_dump(json_decode('{ "test": { "foo": "" } }'));
var_dump(json_decode('{ "": { "foo": "" } }'));
@@ -38,6 +39,7 @@
string(12) "руссиш"
string(4) "blah"
NULL
+NULL
object(stdClass)#1 (1) {
["test"]=>
object(stdClass)#2 (1) {
|
