From 01d61605d3a354019a11f977488d6441cd636e01 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu, 19 Oct 2023 15:07:20 +0200
Subject: [PATCH 1/2] Fix segfault and assertion failure with refcounted props
and arrays
Closes GH-12478.
---
NEWS | 2 +
ext/soap/php_encoding.c | 4 +-
.../tests/bugs/segfault_assertion_props.phpt | 51 +++++++++++++++++++
3 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/bugs/segfault_assertion_props.phpt
diff --git a/NEWS b/NEWS
index defce40d786..6f21f2f7967 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,8 @@ PHP NEWS
Fault). (nielsdos)
. Fixed bug #67617 (SOAP leaves incomplete cache file on ENOSPC). (nielsdos)
. Fix incorrect uri check in SOAP caching. (nielsdos)
+ . Fix segfault and assertion failure with refcounted props and arrays.
+ (nielsdos)
- XSL:
. Add missing module dependency. (nielsdos)
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 3a4626aa5be..a5fbd3df9dd 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -1561,10 +1561,12 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
if (Z_TYPE_P(prop) != IS_ARRAY) {
/* Convert into array */
array_init(&arr);
- Z_ADDREF_P(prop);
+ Z_TRY_ADDREF_P(prop);
add_next_index_zval(&arr, prop);
set_zval_property(ret, (char*)trav->name, &arr);
prop = &arr;
+ } else {
+ SEPARATE_ARRAY(prop);
}
/* Add array element */
add_next_index_zval(prop, &tmpVal);
diff --git a/ext/soap/tests/bugs/segfault_assertion_props.phpt b/ext/soap/tests/bugs/segfault_assertion_props.phpt
new file mode 100644
index 00000000000..9d496d72967
--- /dev/null
+++ b/ext/soap/tests/bugs/segfault_assertion_props.phpt
@@ -0,0 +1,51 @@
+--TEST--
+Segfault and assertion failure with refcounted props and arrays
+--INI--
+soap.wsdl_cache_enabled=0
+--EXTENSIONS--
+soap
+--FILE--
+
+
+
+ Hello
+ World
+
+
+EOF;
+ }
+}
+
+trait A {
+ public $a = [self::class . 'a'];
+ public $b = self::class . 'b';
+}
+
+class DummyClass {
+ use A;
+}
+
+$client = new TestSoapClient(__DIR__."/../classmap.wsdl", ['classmap' => ['Struct' => 'DummyClass']]);
+var_dump($client->dotest2("???"));
+?>
+--EXPECT--
+object(DummyClass)#2 (2) {
+ ["a"]=>
+ array(2) {
+ [0]=>
+ string(11) "DummyClassa"
+ [1]=>
+ string(5) "Hello"
+ }
+ ["b"]=>
+ array(2) {
+ [0]=>
+ string(11) "DummyClassb"
+ [1]=>
+ string(5) "World"
+ }
+}
From 83a242ec0cb8a6633f51b82845978e1eb9bdb883 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka
Date: Sat, 21 Oct 2023 15:16:32 +0100
Subject: [PATCH 2/2] Fix GH-12489: Missing sigbio creation checking in
openssl_cms_verify
Closes GH-12490
---
NEWS | 4 ++++
ext/openssl/openssl.c | 5 ++++-
ext/openssl/tests/gh12489.phpt | 36 ++++++++++++++++++++++++++++++++++
3 files changed, 44 insertions(+), 1 deletion(-)
create mode 100644 ext/openssl/tests/gh12489.phpt
diff --git a/NEWS b/NEWS
index 6f21f2f7967..3155cda7ad9 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,10 @@ PHP NEWS
. Fixed bug GH-8143 (Crashes in zend_accel_inheritance_cache_find since
upgrading to 8.1.3 due to corrupt on-disk file cache). (turchanov)
+- OpenSSL:
+ Fixed bug GH-12489 (Missing sigbio creation checking in openssl_cms_verify).
+ (Jakub Zelenka)
+
- SOAP:
. Fixed bug GH-12392 (Segmentation fault on SoapClient::__getTypes).
(nielsdos)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 10af453c895..31baa2d0e02 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -5900,12 +5900,15 @@ PHP_FUNCTION(openssl_cms_verify)
goto clean_exit;
}
if (sigfile && (flags & CMS_DETACHED)) {
- sigbio = php_openssl_bio_new_file(sigfile, sigfile_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
if (encoding == ENCODING_SMIME) {
php_error_docref(NULL, E_WARNING,
"Detached signatures not possible with S/MIME encoding");
goto clean_exit;
}
+ sigbio = php_openssl_bio_new_file(sigfile, sigfile_len, 1, PHP_OPENSSL_BIO_MODE_R(flags));
+ if (sigbio == NULL) {
+ goto clean_exit;
+ }
} else {
sigbio = in; /* non-detached signature */
}
diff --git a/ext/openssl/tests/gh12489.phpt b/ext/openssl/tests/gh12489.phpt
new file mode 100644
index 00000000000..4ebeb09784d
--- /dev/null
+++ b/ext/openssl/tests/gh12489.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GH-12489: Missing sigbio creation checking in openssl_cms_verify
+--EXTENSIONS--
+openssl
+--FILE--
+ "test@test", "Subject" => "testing openssl_cms_sign()");
+$headers = array("test@test", "testing openssl_cms_sign()");
+
+var_dump(openssl_cms_sign($infile, $outfile, openssl_x509_read($single_cert), $privkey, $headers,
+ OPENSSL_CMS_DETACHED|OPENSSL_CMS_BINARY,OPENSSL_ENCODING_PEM));
+ini_set('open_basedir', __DIR__);
+var_dump(openssl_cms_verify($infile,OPENSSL_CMS_NOVERIFY|OPENSSL_CMS_DETACHED|OPENSSL_CMS_BINARY,
+ NULL, array(), NULL, $vout, NULL, "../test.cms", OPENSSL_ENCODING_PEM));
+var_dump(openssl_error_string());
+?>
+--CLEAN--
+
+--EXPECTF--
+bool(true)
+
+Warning: openssl_cms_verify(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (%s) in %s on line %d
+bool(false)
+bool(false)