Fixed bug #77843

3 files changed, 38 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 859eb203cf..d43e79e61c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed bug #77921 (static.php.net doesn't work anymore). (Peter Kokot)
 
+- JSON:
+  . Fixed bug #77843 (Use after free with json serializer). (Nikita)
+
 - Session:
   . Fixed bug #77911 (Wrong warning for session.sid_bits_per_character). (cmb)
 
diff --git a/ext/json/json_encoder.c b/ext/json/json_encoder.c
index 8e3eecc0d8..4163291715 100644
--- a/ext/json/json_encoder.c
+++ b/ext/json/json_encoder.c
@@ -542,8 +542,16 @@ again:
 				return php_json_encode_serializable_object(buf, val, options, encoder);
 			}
 			/* fallthrough -- Non-serializable object */
-		case IS_ARRAY:
-			return php_json_encode_array(buf, val, options, encoder);
+		case IS_ARRAY: {
+			/* Avoid modifications (and potential freeing) of the array through a reference when a
+			 * jsonSerialize() method is invoked. */
+			zval zv;
+			int res;
+			ZVAL_COPY(&zv, val);
+			res = php_json_encode_array(buf, &zv, options, encoder);
+			zval_ptr_dtor_nogc(&zv);
+			return res;
+		}
 
 		case IS_REFERENCE:
 			val = Z_REFVAL_P(val);
diff --git a/ext/json/tests/bug77843.phpt b/ext/json/tests/bug77843.phpt
new file mode 100644
index 0000000000..c525285bf5
--- /dev/null
+++ b/ext/json/tests/bug77843.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #77843: Use after free with json serializer
+--FILE--
+<?php
+
+class X implements JsonSerializable {
+    public $prop = "value";
+    public function jsonSerialize() {
+        global $arr;
+        unset($arr[0]);
+        var_dump($this);
+        return $this;
+    }
+}
+
+$arr = [new X()];
+var_dump(json_encode([&$arr]));
+
+?>
+--EXPECT--
+object(X)#1 (1) {
+  ["prop"]=>
+  string(5) "value"
+}
+string(20) "[[{"prop":"value"}]]"