From 08e886235a65efb58f2890066c003543f3182649 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 9 Oct 2022 21:03:06 +0100
Subject: [PATCH] Fix json_validate double free in parser when discarding
 lookahead (#9696)

---
 ext/json/json_parser.y | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ext/json/json_parser.y b/ext/json/json_parser.y
index d88b6299983..4727280f549 100644
--- a/ext/json/json_parser.y
+++ b/ext/json/json_parser.y
@@ -280,13 +280,17 @@ static int php_json_parser_object_update_validate(php_json_parser *parser, zval
 static int php_json_yylex(union YYSTYPE *value, php_json_parser *parser)
 {
 	int token = php_json_scan(&parser->scanner);
-	value->value = parser->scanner.value;
 
-	if (parser->methods.array_create == php_json_parser_array_create_validate
+	bool validate = parser->methods.array_create == php_json_parser_array_create_validate
 		&& parser->methods.array_append == php_json_parser_array_append_validate
 		&& parser->methods.object_create == php_json_parser_object_create_validate
-		&& parser->methods.object_update == php_json_parser_object_update_validate) {
+		&& parser->methods.object_update == php_json_parser_object_update_validate;
+
+	if (validate) {
 		zval_ptr_dtor_str(&(parser->scanner.value));
+		ZVAL_UNDEF(&value->value);
+	} else {
+		value->value = parser->scanner.value;
 	}
 
 	return token;