Merge branch 'PHP-7.2'

bukka · bukka · commit 9891f08786e1 · 2017-08-10T19:40:36.000+01:00
diff --git a/ext/json/json_scanner.c b/ext/json/json_scanner.c
@@ -639,9 +639,16 @@ int php_json_scan(php_json_scanner *s)
 yy80:
 		{
 		if (s->options & (PHP_JSON_INVALID_UTF8_IGNORE | PHP_JSON_INVALID_UTF8_SUBSTITUTE)) {
-			int utf8_addition = (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) ? 3 : 0;
+			if (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) {
+				if (s->utf8_invalid_count > INT_MAX - 2) {
+					s->errcode = PHP_JSON_ERROR_UTF8;
+					return PHP_JSON_T_ERROR;
+				}
+				s->utf8_invalid_count += 2;
+			} else {
+				s->utf8_invalid_count--;
+			}
 			s->utf8_invalid = 1;
-			s->utf8_invalid_count += utf8_addition - 1;
 			PHP_JSON_CONDITION_GOTO(STR_P1);
 		}
 		s->errcode = PHP_JSON_ERROR_UTF8;
diff --git a/ext/json/json_scanner.re b/ext/json/json_scanner.re
@@ -281,9 +281,16 @@ std:
 	<STR_P1>UTF8             { PHP_JSON_CONDITION_GOTO(STR_P1); }
 	<STR_P1>ANY              {
 		if (s->options & (PHP_JSON_INVALID_UTF8_IGNORE | PHP_JSON_INVALID_UTF8_SUBSTITUTE)) {
-			int utf8_addition = (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) ? 3 : 0;
+			if (s->options & PHP_JSON_INVALID_UTF8_SUBSTITUTE) {
+				if (s->utf8_invalid_count > INT_MAX - 2) {
+					s->errcode = PHP_JSON_ERROR_UTF8;
+					return PHP_JSON_T_ERROR;
+				}
+				s->utf8_invalid_count += 2;
+			} else {
+				s->utf8_invalid_count--;
+			}
 			s->utf8_invalid = 1;
-			s->utf8_invalid_count += utf8_addition - 1;
 			PHP_JSON_CONDITION_GOTO(STR_P1);
 		}
 		s->errcode = PHP_JSON_ERROR_UTF8;
