Skip to content

Commit c74b258

Browse files
authored
Keep the object alive across jsonSerialize() in json_encode() (#22469)
php_json_encode_serializable_object() holds a raw pointer to the object across the jsonSerialize() call, then reads its recursion guard and compares the returned value's identity against it. A user error handler triggered from jsonSerialize() can drop the last reference to the object, for example by nulling a reference that aliases the encoded array slot, freeing it before those reads and causing a use-after-free. Hold a reference on the object across the call. The array path already guards against this with a ZVAL_COPY; the JsonSerializable object path did not. Same use-after-free class as GH-21024 in var_dump().
1 parent 10f1d04 commit c74b258

2 files changed

Lines changed: 28 additions & 0 deletions

File tree

ext/json/json_encoder.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -577,6 +577,11 @@ static zend_result php_json_encode_serializable_object(smart_str *buf, zend_obje
577577

578578
ZEND_GUARD_PROTECT_RECURSION(guard, JSON);
579579

580+
/* jsonSerialize() may drop the last reference to the object, e.g. by
581+
* nulling a reference that aliases the encoded array slot; keep it alive
582+
* so the recursion guard and the identity check below stay valid. */
583+
GC_ADDREF(obj);
584+
580585
zend_function *json_serialize_method = zend_hash_str_find_ptr(&ce->function_table, ZEND_STRL("jsonserialize"));
581586
ZEND_ASSERT(json_serialize_method != NULL && "This should be guaranteed prior to calling this function");
582587
zend_call_known_function(json_serialize_method, obj, ce, &retval, 0, NULL, NULL);
@@ -586,6 +591,7 @@ static zend_result php_json_encode_serializable_object(smart_str *buf, zend_obje
586591
smart_str_appendl(buf, "null", 4);
587592
}
588593
ZEND_GUARD_UNPROTECT_RECURSION(guard, JSON);
594+
OBJ_RELEASE(obj);
589595
return FAILURE;
590596
}
591597

@@ -600,6 +606,7 @@ static zend_result php_json_encode_serializable_object(smart_str *buf, zend_obje
600606
}
601607

602608
zval_ptr_dtor(&retval);
609+
OBJ_RELEASE(obj);
603610

604611
return return_code;
605612
}

ext/json/tests/gh21024.phpt

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
--TEST--
2+
GH-21024 (UAF in json_encode() when jsonSerialize() frees the object)
3+
--EXTENSIONS--
4+
json
5+
--FILE--
6+
<?php
7+
class Bar implements JsonSerializable {
8+
public function jsonSerialize(): mixed {
9+
global $ref;
10+
$ref = null;
11+
return ['k' => 1];
12+
}
13+
}
14+
$arr = [new Bar];
15+
$ref = &$arr[0];
16+
var_dump(json_encode($arr));
17+
echo "survived\n";
18+
?>
19+
--EXPECT--
20+
string(9) "[{"k":1}]"
21+
survived

0 commit comments

Comments
 (0)