PHPC-1266: Empty deeply nested BSON document causes unallocated memory writes

derickr · derickr · commit 82de814be31f · 2018-09-07T13:04:07.000+01:00
diff --git a/src/bson.c b/src/bson.c
@@ -161,6 +161,8 @@ bool php_phongo_field_path_push(php_phongo_field_path* field_path, const char* e
 
 bool php_phongo_field_path_pop(php_phongo_field_path* field_path)
 {
+	php_phongo_field_path_ensure_allocation(field_path, field_path->size);
+
 	field_path->elements[field_path->size]      = NULL;
 	field_path->element_types[field_path->size] = PHONGO_FIELD_PATH_ITEM_NONE;
 
diff --git a/tests/bson/bug1266.phpt b/tests/bson/bug1266.phpt
@@ -0,0 +1,58 @@
+--TEST--
+Test for PHPC-1266: Empty deeply nested BSON document causes unallocated memory writes
+--FILE--
+<?php
+$a = <<<ENDJSON
+{
+    "value" : {     
+        "payload" : {
+            "PayloadMasterDataMeteringPointPartyEvent" : {
+                "MeteringPointPartyDetailMeteringPointPartyCharacteristic" : {
+                    "AdministrativePartyMPAdministrativeParty" : [
+                        {
+                            "AdministrativePartyAddressLocationAddress" : {
+                                "StreetCode" : {
+                                }
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+    }
+}   
+ENDJSON;
+
+$bson = MongoDB\BSON\fromJSON($a);
+var_dump(MongoDB\BSON\toPHP($bson));
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+object(stdClass)#%d (%d) {
+  ["value"]=>
+  object(stdClass)#%d (%d) {
+    ["payload"]=>
+    object(stdClass)#%d (%d) {
+      ["PayloadMasterDataMeteringPointPartyEvent"]=>
+      object(stdClass)#%d (%d) {
+        ["MeteringPointPartyDetailMeteringPointPartyCharacteristic"]=>
+        object(stdClass)#%d (%d) {
+          ["AdministrativePartyMPAdministrativeParty"]=>
+          array(%d) {
+            [0]=>
+            object(stdClass)#%d (%d) {
+              ["AdministrativePartyAddressLocationAddress"]=>
+              object(stdClass)#%d (%d) {
+                ["StreetCode"]=>
+                object(stdClass)#%d (%d) {
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+===DONE===

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,8 @@ bool php_phongo_field_path_push(php_phongo_field_path* field_path, const char* e`
`161`	`161`
`162`	`162`	`bool php_phongo_field_path_pop(php_phongo_field_path* field_path)`
`163`	`163`	`{`
	`164`	`+ php_phongo_field_path_ensure_allocation(field_path, field_path->size);`
	`165`	`+`
`164`	`166`	`field_path->elements[field_path->size] = NULL;`
`165`	`167`	`field_path->element_types[field_path->size] = PHONGO_FIELD_PATH_ITEM_NONE;`
`166`	`168`