From 71222f799da8936c175b1219a1c351f778f6da69 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 6 Oct 2024 20:30:01 +0200
Subject: [PATCH] Fix GH-16259: Soap segfault when classmap instantiation fails

Instantiation failure checks were missing.

Closes GH-16273.
---
 NEWS                             |  2 ++
 ext/soap/php_encoding.c          | 20 +++++++++++++++-----
 ext/soap/tests/bugs/gh16259.phpt | 23 +++++++++++++++++++++++
 3 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 ext/soap/tests/bugs/gh16259.phpt

diff --git a/NEWS b/NEWS
index 799225ca186..5f4b19f6fa8 100644
--- a/NEWS
+++ b/NEWS
@@ -91,6 +91,8 @@ PHP                                                                        NEWS
   . Fix Soap leaking http_msg on error. (nielsdos)
   . Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
     (nielsdos)
+  . Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).
+    (nielsdos)
 
 - Standard:
   . Fixed bug GH-15613 (overflow on unpack call hex string repeater).
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 6568446249a..29cf8fbc908 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -1408,7 +1408,9 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
 					return ret;
 				}
 
-				object_init_ex(ret, ce);
+				if (object_init_ex(ret, ce) != SUCCESS) {
+					return ret;
+				}
 				master_to_zval_int(&base, enc, data);
 				set_zval_property(ret, "_", &base);
 			} else {
@@ -1417,7 +1419,9 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
 				if (soap_check_xml_ref(ret, data)) {
 					return ret;
 				}
-				object_init_ex(ret, ce);
+				if (object_init_ex(ret, ce) != SUCCESS) {
+					return ret;
+				}
 				soap_add_xml_ref(ret, data);
 			}
 		} else if (sdlType->kind == XSD_TYPEKIND_EXTENSION &&
@@ -1462,7 +1466,9 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
 					return ret;
 				}
 
-				object_init_ex(ret, ce);
+				if (object_init_ex(ret, ce) != SUCCESS) {
+					return ret;
+				}
 				soap_add_xml_ref(ret, data);
 				master_to_zval_int(&base, sdlType->encode, data);
 				set_zval_property(ret, "_", &base);
@@ -1473,7 +1479,9 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
 			if (soap_check_xml_ref(ret, data)) {
 				return ret;
 			}
-			object_init_ex(ret, ce);
+			if (object_init_ex(ret, ce) != SUCCESS) {
+				return ret;
+			}
 			soap_add_xml_ref(ret, data);
 		}
 		if (sdlType->model) {
@@ -1533,7 +1541,9 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
 			return ret;
 		}
 
-		object_init_ex(ret, ce);
+		if (object_init_ex(ret, ce) != SUCCESS) {
+			return ret;
+		}
 		soap_add_xml_ref(ret, data);
 		trav = data->children;
 
diff --git a/ext/soap/tests/bugs/gh16259.phpt b/ext/soap/tests/bugs/gh16259.phpt
new file mode 100644
index 00000000000..dd7e0e1585d
--- /dev/null
+++ b/ext/soap/tests/bugs/gh16259.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-16259 (Soap segfault when classmap instantiation fails)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+abstract class CT_A1 {
+}
+class CT_A2 extends CT_A1 {
+}
+
+$classMap = array("A1" => "CT_A1", "A2" => "CT_A2");
+$client = new SoapClient(__DIR__."/bug36575.wsdl", array("trace" => 1, "exceptions" => 0));
+$a2 = new CT_A2();
+$client->test($a2);
+$soapRequest = $client->__getLastRequest();
+
+$server = new SoapServer(__DIR__."/bug36575.wsdl", array("classmap" => $classMap));
+$server->handle($soapRequest);
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Cannot instantiate abstract class CT_A1</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>