Commit c74b258
authored
Keep the object alive across jsonSerialize() in json_encode() (#22469)
php_json_encode_serializable_object() holds a raw pointer to the object
across the jsonSerialize() call, then reads its recursion guard and
compares the returned value's identity against it. A user error handler
triggered from jsonSerialize() can drop the last reference to the object,
for example by nulling a reference that aliases the encoded array slot,
freeing it before those reads and causing a use-after-free.
Hold a reference on the object across the call. The array path already
guards against this with a ZVAL_COPY; the JsonSerializable object path
did not. Same use-after-free class as GH-21024 in var_dump().1 parent 10f1d04 commit c74b258
2 files changed
Lines changed: 28 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
577 | 577 | | |
578 | 578 | | |
579 | 579 | | |
| 580 | + | |
| 581 | + | |
| 582 | + | |
| 583 | + | |
| 584 | + | |
580 | 585 | | |
581 | 586 | | |
582 | 587 | | |
| |||
586 | 591 | | |
587 | 592 | | |
588 | 593 | | |
| 594 | + | |
589 | 595 | | |
590 | 596 | | |
591 | 597 | | |
| |||
600 | 606 | | |
601 | 607 | | |
602 | 608 | | |
| 609 | + | |
603 | 610 | | |
604 | 611 | | |
605 | 612 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
0 commit comments