Fix json_validate double free in parser when discarding lookahead (#9696)

2025-08-15 21:48:51 +02:00 · 2022-10-09 21:03:06 +01:00 · 2022-10-09 21:03:06 +01:00 · 08e886235a
commit 08e886235a
parent 3e9fcb5a9e
1 changed files with 7 additions and 3 deletions
--- a/ext/json/json_parser.y
+++ b/ext/json/json_parser.y
@ -280,13 +280,17 @@ static int php_json_parser_object_update_validate(php_json_parser *parser, zval
 static int php_json_yylex(union YYSTYPE *value, php_json_parser *parser)
 {
 	int token = php_json_scan(&parser->scanner);
-	value->value = parser->scanner.value;

-	if (parser->methods.array_create == php_json_parser_array_create_validate
+	bool validate = parser->methods.array_create == php_json_parser_array_create_validate
 		&& parser->methods.array_append == php_json_parser_array_append_validate
 		&& parser->methods.object_create == php_json_parser_object_create_validate
-		&& parser->methods.object_update == php_json_parser_object_update_validate) {
+		&& parser->methods.object_update == php_json_parser_object_update_validate;
+
+	if (validate) {
 		zval_ptr_dtor_str(&(parser->scanner.value));
+		ZVAL_UNDEF(&value->value);
+	} else {
+		value->value = parser->scanner.value;
 	}

 	return token;