From a9ba407ce16809a2a70724bcd481b64ba8bd550b Mon Sep 17 00:00:00 2001 From: Rasmus Lerdorf Date: Sun, 22 Feb 2015 08:14:41 -0800 Subject: [PATCH 1/3] Fix bug #68166 We can't always efree here php_escape_html_entities can return an interned_empty_string --- main/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main/main.c b/main/main.c index 5e564003fec..733786e447f 100644 --- a/main/main.c +++ b/main/main.c @@ -1087,7 +1087,7 @@ static void php_error_cb(int type, const char *error_filename, const uint error_ size_t len; char *buf = php_escape_html_entities(buffer, buffer_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC); php_printf("%s
\n%s: %s in %s on line %d
\n%s", STR_PRINT(prepend_string), error_type_str, buf, error_filename, error_lineno, STR_PRINT(append_string)); - efree(buf); + str_efree(buf); } else { php_printf("%s
\n%s: %s in %s on line %d
\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); } From 7ea5b3f71cb7291f88659ecf810916c34b1b6f4a Mon Sep 17 00:00:00 2001 From: Rasmus Lerdorf Date: Sun, 22 Feb 2015 08:32:32 -0800 Subject: [PATCH 2/3] NEWS entry --- NEWS | 1 + 1 file changed, 1 insertion(+) diff --git a/NEWS b/NEWS index 84a5d2ae7c9..a4f98ff3fef 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,7 @@ PHP NEWS defined in class scope). (Laruence) . Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com) + . Fixed bug #68166 (Exception with invalid character causes segv) (Rasmus) - cURL: . Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on From 591dbcabe57a32550fb73223521fa1323773628f Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 22 Feb 2015 20:22:47 +0000 Subject: [PATCH 3/3] Fix bug #64695 (JSON_NUMERIC_CHECK has issues with strings that are numbers plus the letter e) --- NEWS | 2 ++ ext/json/json.c | 18 +++++++----------- ext/json/tests/bug64695.phpt | 14 ++++++++++++++ 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 ext/json/tests/bug64695.phpt diff --git a/NEWS b/NEWS index a4f98ff3fef..fa8ce9d774e 100644 --- a/NEWS +++ b/NEWS @@ -630,6 +630,8 @@ PHP NEWS - JSON: . Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set). (Kevin Israel) + . Fixed bug #64695 (JSON_NUMERIC_CHECK has issues with strings that are + numbers plus the letter e). (Jakub Zelenka) - LDAP: . Fixed issue with null bytes in LDAP bindings. (Matthew Daley) diff --git a/ext/json/json.c b/ext/json/json.c index 5b71eb06f6e..16af7961459 100644 --- a/ext/json/json.c +++ b/ext/json/json.c @@ -418,18 +418,14 @@ static void json_escape_string(smart_str *buf, char *s, int len, int options TSR if ((type = is_numeric_string(s, len, &p, &d, 0)) != 0) { if (type == IS_LONG) { smart_str_append_long(buf, p); - } else if (type == IS_DOUBLE) { - if (!zend_isinf(d) && !zend_isnan(d)) { - char *tmp; - int l = spprintf(&tmp, 0, "%.*k", (int) EG(precision), d); - smart_str_appendl(buf, tmp, l); - efree(tmp); - } else { - JSON_G(error_code) = PHP_JSON_ERROR_INF_OR_NAN; - smart_str_appendc(buf, '0'); - } + return; + } else if (type == IS_DOUBLE && !zend_isinf(d) && !zend_isnan(d)) { + char *tmp; + int l = spprintf(&tmp, 0, "%.*k", (int) EG(precision), d); + smart_str_appendl(buf, tmp, l); + efree(tmp); + return; } - return; } } diff --git a/ext/json/tests/bug64695.phpt b/ext/json/tests/bug64695.phpt new file mode 100644 index 00000000000..899259f4b48 --- /dev/null +++ b/ext/json/tests/bug64695.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #64695 JSON_NUMERIC_CHECK has issues with strings that are numbers plus the letter e +--SKIPIF-- + +--FILE-- + '123343e871700'); +var_dump(json_encode($t, JSON_NUMERIC_CHECK)); + +echo "Done\n"; +?> +--EXPECT-- +string(24) "{"test":"123343e871700"}" +Done