stack overflow in json_encode() #15168

YuanchengJiang · 2024-07-30T11:53:57Z

Description

The following code:

<?php
  
class Node
{
    /** @var Node */
    public $previous;
    /** @var Node */
    public $next;
}
$firstNode = new Node();
$firstNode->previous = $firstNode;
$firstNode->next = $firstNode;
$circularDoublyLinkedList = $firstNode;
for ($i = 0; $i < 200000; $i++) {
    $currentNode = $circularDoublyLinkedList;
    $nextNode = $circularDoublyLinkedList->next;
    $newNode = new Node();
    $newNode->previous = $currentNode;
    $currentNode->next = $newNode;
    $newNode->next = $nextNode;
    $nextNode->previous = $newNode;
    $circularDoublyLinkedList = $nextNode;
}
$random_var=$GLOBALS[array_rand($GLOBALS)];
json_encode($circularDoublyLinkedList);
?>

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==785404==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe577a9eb8 (pc 0x7f8c68704379 bp 0x7ffe577aa750 sp 0x7ffe577a9ec0 T0)
    #0 0x7f8c68704378 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x564774053b9d in smart_str_appendl_ex /php-src/Zend/zend_smart_str.h:130
    #2 0x564774053f42 in smart_str_appendl /php-src/Zend/zend_smart_str.h:168
    #3 0x56477405967f in php_json_escape_string /php-src/ext/json/json_encoder.c:365
    #4 0x564774055dfc in php_json_encode_array /php-src/ext/json/json_encoder.c:167
    #5 0x56477405d61d in php_json_encode_zval /php-src/ext/json/json_encoder.c:656
    #6 0x564774056115 in php_json_encode_array /php-src/ext/json/json_encoder.c:178
    #7 0x56477405d61d in php_json_encode_zval /php-src/ext/json/json_encoder.c:656
    #8 0x564774056115 in php_json_encode_array /php-src/ext/json/json_encoder.c:178
   ...
    #247 0x56477405d61d in php_json_encode_zval /php-src/ext/json/json_encoder.c:656
    #248 0x564774056115 in php_json_encode_array /php-src/ext/json/json_encoder.c:178

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
==785404==ABORTING

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

The text was updated successfully, but these errors were encountered:

devnexen · 2024-07-30T12:08:31Z

can be reproduced with php 8.2

arnaud-lb · 2024-07-30T12:44:41Z

Related / similar: #15169

OlivierKessler01 · 2024-08-26T13:23:06Z

@arnaud-lb

I don't know how that can help you, but I reproduce both bugs in PHP v7

json_encode() and serialize() don't work the same on cyclic directed graphs, json_encode() simply returns False, while serialize() handles recursion. I guess userspace would not be broken by making json_encode() return False before even completing a cycle.

Here is illustrating my point :

<?php

class Node
{
    /** @var Node */
    public $previous;
    /** @var Node */
    public $next;
}
$firstNode = new Node();
$firstNode->previous = $firstNode;
$firstNode->next = $firstNode;

$circularDoublyLinkedList = $firstNode;
$ser = serialize($circularDoublyLinkedList);
$jser = json_encode($circularDoublyLinkedList);
var_dump($jser); //bool(false) 
var_dump($ser); //string(49) "O:4:"Node":2:{s:8:"previous";r:1;s:4:"next";r:1;}"
?>

The JSON encoder is recursive, and it's far from easy to make it iterative. Add a cheap stack limit check to prevent a segfault. This uses the PHP_JSON_ERROR_DEPTH error code that already talks about the stack depth. Previously this was only used for the $depth argument.

* PHP-8.3: Fix GH-15168: stack overflow in json_encode()

* PHP-8.4: Fix GH-15168: stack overflow in json_encode()

The JSON encoder is recursive, and it's far from easy to make it iterative. Add a cheap stack limit check to prevent a segfault. This uses the PHP_JSON_ERROR_DEPTH error code that already talks about the stack depth. Previously this was only used for the $depth argument. Closes phpGH-16059.

andypost · 2024-10-21T13:01:20Z

somehow Alpinelinux s390x builder been stuck after this change so filed #16528

YuanchengJiang added Bug Status: Needs Triage labels Jul 30, 2024

devnexen added Status: Verified Extension: json labels Jul 30, 2024

cmb69 removed the Status: Needs Triage label Aug 2, 2024

nielsdos linked a pull request Sep 25, 2024 that will close this issue

Fix GH-15168: stack overflow in json_encode() #16059

Closed

nielsdos added a commit that referenced this issue Sep 30, 2024

Merge branch 'PHP-8.3' into PHP-8.4

95d691a

* PHP-8.3: Fix GH-15168: stack overflow in json_encode()

nielsdos closed this as completed in a551b99 Sep 30, 2024

nielsdos added a commit that referenced this issue Sep 30, 2024

Merge branch 'PHP-8.4'

494aa65

* PHP-8.4: Fix GH-15168: stack overflow in json_encode()

andypost mentioned this issue Oct 21, 2024

2 tests fail on Alpinelinux s390x #16528

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

stack overflow in json_encode() #15168

stack overflow in json_encode() #15168

YuanchengJiang commented Jul 30, 2024

devnexen commented Jul 30, 2024

arnaud-lb commented Jul 30, 2024

OlivierKessler01 commented Aug 26, 2024 •

edited

Loading

andypost commented Oct 21, 2024

stack overflow in json_encode() #15168

stack overflow in json_encode() #15168

Comments

YuanchengJiang commented Jul 30, 2024

Description

PHP Version

Operating System

devnexen commented Jul 30, 2024

arnaud-lb commented Jul 30, 2024

OlivierKessler01 commented Aug 26, 2024 • edited Loading

andypost commented Oct 21, 2024

OlivierKessler01 commented Aug 26, 2024 •

edited

Loading