stack overflow in json_encode()

[YuanchengJiang]

Description

The following code:

<?php
  
class Node
{
    /** @var Node */
    public $previous;
    /** @var Node */
    public $next;
}
$firstNode = new Node();
$firstNode->previous = $firstNode;
$firstNode->next = $firstNode;
$circularDoublyLinkedList = $firstNode;
for ($i = 0; $i < 200000; $i++) {
    $currentNode = $circularDoublyLinkedList;
    $nextNode = $circularDoublyLinkedList->next;
    $newNode = new Node();
    $newNode->previous = $currentNode;
    $currentNode->next = $newNode;
    $newNode->next = $nextNode;
    $nextNode->previous = $newNode;
    $circularDoublyLinkedList = $nextNode;
}
$random_var=$GLOBALS[array_rand($GLOBALS)];
json_encode($circularDoublyLinkedList);
?>

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==785404==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe577a9eb8 (pc 0x7f8c68704379 bp 0x7ffe577aa750 sp 0x7ffe577a9ec0 T0)
    #0 0x7f8c68704378 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x564774053b9d in smart_str_appendl_ex /php-src/Zend/zend_smart_str.h:130
    #2 0x564774053f42 in smart_str_appendl /php-src/Zend/zend_smart_str.h:168
    #3 0x56477405967f in php_json_escape_string /php-src/ext/json/json_encoder.c:365
    #4 0x564774055dfc in php_json_encode_array /php-src/ext/json/json_encoder.c:167
    #5 0x56477405d61d in php_json_encode_zval /php-src/ext/json/json_encoder.c:656
    #6 0x564774056115 in php_json_encode_array /php-src/ext/json/json_encoder.c:178
    #7 0x56477405d61d in php_json_encode_zval /php-src/ext/json/json_encoder.c:656
    #8 0x564774056115 in php_json_encode_array /php-src/ext/json/json_encoder.c:178
   ...
    #247 0x56477405d61d in php_json_encode_zval /php-src/ext/json/json_encoder.c:656
    #248 0x564774056115 in php_json_encode_array /php-src/ext/json/json_encoder.c:178

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
==785404==ABORTING

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[devnexen]

can be reproduced with php 8.2

[arnaud-lb]

Related / similar: #15169

[OlivierKessler01]

@arnaud-lb

I don't know how that can help you, but I reproduce both bugs in PHP v7

json_encode() and serialize() don't work the same on cyclic directed graphs, json_encode() simply returns False, while serialize() handles recursion. I guess userspace would not be broken by making json_encode() return False before even completing a cycle.

Here is illustrating my point :

<?php

class Node
{
    /** @var Node */
    public $previous;
    /** @var Node */
    public $next;
}
$firstNode = new Node();
$firstNode->previous = $firstNode;
$firstNode->next = $firstNode;

$circularDoublyLinkedList = $firstNode;
$ser = serialize($circularDoublyLinkedList);
$jser = json_encode($circularDoublyLinkedList);
var_dump($jser); //bool(false) 
var_dump($ser); //string(49) "O:4:"Node":2:{s:8:"previous";r:1;s:4:"next";r:1;}"
?>