Fixed bug #77843

Author: nikic

NEWS

@@ -5,6 +5,9 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed bug #77921 (static.php.net doesn't work anymore). (Peter Kokot)
 
+- JSON:
+  . Fixed bug #77843 (Use after free with json serializer). (Nikita)
+
 - Session:
   . Fixed bug #77911 (Wrong warning for session.sid_bits_per_character). (cmb)
 

ext/json/json_encoder.c

@@ -542,8 +542,16 @@ int php_json_encode_zval(smart_str *buf, zval *val, int options, php_json_encode
 				return php_json_encode_serializable_object(buf, val, options, encoder);
 			}
 			/* fallthrough -- Non-serializable object */
-		case IS_ARRAY:
-			return php_json_encode_array(buf, val, options, encoder);
+		case IS_ARRAY: {
+			/* Avoid modifications (and potential freeing) of the array through a reference when a
+			 * jsonSerialize() method is invoked. */
+			zval zv;
+			int res;
+			ZVAL_COPY(&zv, val);
+			res = php_json_encode_array(buf, &zv, options, encoder);
+			zval_ptr_dtor_nogc(&zv);
+			return res;
+		}
 
 		case IS_REFERENCE:
 			val = Z_REFVAL_P(val);

ext/json/tests/bug77843.phpt

@@ -0,0 +1,25 @@
+--TEST--
+Bug #77843: Use after free with json serializer
+--FILE--
+<?php
+
+class X implements JsonSerializable {
+    public $prop = "value";
+    public function jsonSerialize() {
+        global $arr;
+        unset($arr[0]);
+        var_dump($this);
+        return $this;
+    }
+}
+
+$arr = [new X()];
+var_dump(json_encode([&$arr]));
+
+?>
+--EXPECT--
+object(X)#1 (1) {
+  ["prop"]=>
+  string(5) "value"
+}
+string(20) "[[{"prop":"value"}]]"