From 11fbe8801bb936c7011b4cefb3bea89380bf18e7 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 5 Aug 2024 20:55:38 +0200
Subject: [PATCH] Fix SoapFault property destruction

Two issues:
1) We should not modify the object when we pass invalid values
2) We should reset the properties to their default value otherwise we
   get a UAF.

Regressed in df219ccf9d6be8302eef3ab6e26fd00fbd2fef71

Closes GH-15248.
---
 NEWS                                  |  1 +
 ext/soap/soap.c                       | 13 ++++++++++---
 ext/soap/tests/SoapFault/gh14586.phpt | 10 ++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index a86d3c59aca..791c64e7197 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,7 @@ PHP                                                                        NEWS
 
 - Soap:
   . Fixed bug #55639 (Digest autentication dont work). (nielsdos)
+  . Fix SoapFault property destruction. (nielsdos)
 
 - Standard:
   . Fix passing non-finite timeout values in stream functions. (nielsdos)
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index eaea09b461d..3320f6dd480 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -529,6 +529,13 @@ static void soap_fault_dtor_properties(zval *obj)
 	zval_ptr_dtor(Z_FAULT_DETAIL_P(obj));
 	zval_ptr_dtor(Z_FAULT_NAME_P(obj));
 	zval_ptr_dtor(Z_FAULT_HEADERFAULT_P(obj));
+	ZVAL_EMPTY_STRING(Z_FAULT_STRING_P(obj));
+	ZVAL_NULL(Z_FAULT_CODE_P(obj));
+	ZVAL_NULL(Z_FAULT_CODENS_P(obj));
+	ZVAL_NULL(Z_FAULT_ACTOR_P(obj));
+	ZVAL_NULL(Z_FAULT_DETAIL_P(obj));
+	ZVAL_NULL(Z_FAULT_NAME_P(obj));
+	ZVAL_NULL(Z_FAULT_HEADERFAULT_P(obj));
 }
 
 /* {{{ SoapFault constructor */
@@ -550,9 +557,6 @@ PHP_METHOD(SoapFault, __construct)
 		Z_PARAM_ZVAL_OR_NULL(headerfault)
 	ZEND_PARSE_PARAMETERS_END();
 
-	/* Delete previously set properties */
-	soap_fault_dtor_properties(ZEND_THIS);
-
 	if (code_str) {
 		fault_code = ZSTR_VAL(code_str);
 		fault_code_len = ZSTR_LEN(code_str);
@@ -571,6 +575,9 @@ PHP_METHOD(SoapFault, __construct)
 		RETURN_THROWS();
 	}
 
+	/* Delete previously set properties */
+	soap_fault_dtor_properties(ZEND_THIS);
+
 	if (name != NULL && name_len == 0) {
 		name = NULL;
 	}
diff --git a/ext/soap/tests/SoapFault/gh14586.phpt b/ext/soap/tests/SoapFault/gh14586.phpt
index 91a273da09d..7aa7c37eb54 100644
--- a/ext/soap/tests/SoapFault/gh14586.phpt
+++ b/ext/soap/tests/SoapFault/gh14586.phpt
@@ -6,7 +6,17 @@ soap
 <?php
 $sf = new SoapFault(null, "x");
 $sf->__construct(null, "x");
+try {
+    $sf->__construct("", "");
+} catch (ValueError) {}
+$sf->__construct(null, "x", headerFault: []);
+var_dump($sf->headerfault);
+$sf->__construct(null, "x");
+var_dump($sf->headerfault);
 ?>
 DONE
 --EXPECT--
+array(0) {
+}
+NULL
 DONE