PHP :: Bug #69792 :: Stack Overflow in JSON with JsonSerializable

Bug #69792	Stack Overflow in JSON with JsonSerializable
Submitted:	2015-06-10 12:44 UTC	Modified:	2017-04-30 15:26 UTC
From:	ryat@php.net	Assigned:
Status:	Wont fix	Package:	JSON related
PHP Version:	5.4.41	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ryat@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-06-10 12:44 UTC] ryat@php.net

Description:
------------
```
static void json_encode_serializable_object(smart_str *buf, zval *val, int options TSRMLS_DC) /* {{{ */
{
	...
	ZVAL_STRING(&fname, "jsonSerialize", 0);

	if (FAILURE == call_user_function_ex(EG(function_table), &val, &fname, &retval, 0, NULL, 1, NULL TSRMLS_CC) || !retval) {
		zend_throw_exception_ex(NULL, 0 TSRMLS_CC, "Failed calling %s::jsonSerialize()", ce->name);
		smart_str_appendl(buf, "null", sizeof("null") - 1);
		return;
    }
	...
	if ((Z_TYPE_P(retval) == IS_OBJECT) &&
		(Z_OBJ_HANDLE_P(retval) == Z_OBJ_HANDLE_P(val))) {
		/* Handle the case where jsonSerialize does: return $this; by going straight to encode array */
		json_encode_array(buf, &retval, options TSRMLS_CC);
	} else {
		/* All other types, encode as normal */
		php_json_encode(buf, retval, options TSRMLS_CC);
	}

	zval_ptr_dtor(&retval);
}
/* }}} */

PHP_JSON_API void php_json_encode(smart_str *buf, zval *val, int options TSRMLS_DC) /* {{{ */
{
	switch (Z_TYPE_P(val))
	{
		...
		case IS_OBJECT:
			if (instanceof_function(Z_OBJCE_P(val), php_json_serializable_ce TSRMLS_CC)) {
				json_encode_serializable_object(buf, val, options TSRMLS_CC);
				break;
			}
```

The following code should crash PHP:

```
class JsonTest implements JsonSerializable {
    public function jsonSerialize() {
		return new JsonTest;
//		$obj = new JsonTest;
//		return array($obj);
    }
}

$obj = new JsonTest;
json_encode($obj);
```

Patches

5.6series-patch (last revision 2015-06-10 12:44 UTC by ryat)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-10 13:38 UTC] cmb@php.net

Actually, this is a duplicate of bug #67265. This ticket had been
closed as "not a bug", but there has been some disagreement, so
I'm leaving this ticket open.

[2017-04-30 15:26 UTC] bukka@php.net

-Status: Open +Status: Wont fix

[2017-04-30 15:26 UTC] bukka@php.net

The proposed path won't work in PHP 7.1+ as it relies on shared global context that was changed to an independent context because it was causing other issues and it's usage in here is also incorrect as it's not a json depth but function call depth in this context. This is a general problem of recursion that is not specific to json but any recursive function. As such I don't think it should be specially addressed in here.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Fri Jun 09 17:03:35 2023 UTC