From 209f4c296ec6a08c721afdf17d787db4b5fd37d0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 20 Mar 2025 09:26:26 +0100 Subject: [PATCH 1/3] Fix #66049 Typemap can break parsing in parse_packet_soap leading to a segfault --- ext/soap/php_packet_soap.c | 3 ++ ext/soap/tests/bugs/bug66049.phpt | 48 +++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 ext/soap/tests/bugs/bug66049.phpt diff --git a/ext/soap/php_packet_soap.c b/ext/soap/php_packet_soap.c index c93451506ee..325821cd1fd 100644 --- a/ext/soap/php_packet_soap.c +++ b/ext/soap/php_packet_soap.c @@ -192,6 +192,7 @@ int parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunction if (tmp != NULL && tmp->children != NULL) { zval zv; master_to_zval(&zv, get_conversion(IS_STRING), tmp); + convert_to_string(&zv) faultstring = Z_STR(zv); } @@ -199,6 +200,7 @@ int parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunction if (tmp != NULL && tmp->children != NULL) { zval zv; master_to_zval(&zv, get_conversion(IS_STRING), tmp); + convert_to_string(&zv) faultactor = Z_STR(zv); } @@ -222,6 +224,7 @@ int parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunction if (tmp != NULL && tmp->children != NULL) { zval zv; master_to_zval(&zv, get_conversion(IS_STRING), tmp); + convert_to_string(&zv) faultstring = Z_STR(zv); } } diff --git a/ext/soap/tests/bugs/bug66049.phpt b/ext/soap/tests/bugs/bug66049.phpt new file mode 100644 index 00000000000..e48845a8a14 --- /dev/null +++ b/ext/soap/tests/bugs/bug66049.phpt @@ -0,0 +1,48 @@ +--TEST-- +Fix #66049 Typemap can break parsing in parse_packet_soap leading to a segfault +--EXTENSIONS-- +soap +--INI-- +soap.wsdl_cache_enabled=0 +--FILE-- + + + + SOAP-ENV:Servernot present + '; + return $res; + } +} + +try { + $client=new TestSoapClient(null, [ + 'uri' => 'test://', + 'location' => 'test://', + 'typemap' => [[ + "type_ns" => "http://www.w3.org/2001/XMLSchema", + "type_name" => "string", + "from_xml" => "soap_string_from_xml" + ]]]); + $client->Mist(""); +} catch (SoapFault $e) { + var_dump($e->faultstring); + var_dump($e->faultcode); +} +?> +Done +--EXPECT-- +soap_string_from_xml +string(3) "2.3" +string(15) "SOAP-ENV:Server" +Done From 7e6a36889c2064029e948ce934203b17adc39319 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 21 Mar 2025 08:25:05 +0100 Subject: [PATCH 2/3] NEWS for #66049 --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index 24db3cc4fbe..0dce55195c1 100644 --- a/NEWS +++ b/NEWS @@ -40,6 +40,10 @@ PHP NEWS - PDO: . Fix memory leak when destroying PDORow. (nielsdos) +- SOAP: + . Fixed bug #66049 (Typemap can break parsing in parse_packet_soap leading to + a segfault) . (Remi) + - SPL: . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject). (nielsdos) From 58e4adcd63d0af788f8e06fe9bd79a5fa9df5f1b Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 21 Mar 2025 08:25:49 +0100 Subject: [PATCH 3/3] NEWS for #66049 --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index 64c4ee19eff..2d92594daf3 100644 --- a/NEWS +++ b/NEWS @@ -71,6 +71,10 @@ PHP NEWS - Standard: . Fix memory leaks in array_any() / array_all(). (nielsdos) +- SOAP: + . Fixed bug #66049 (Typemap can break parsing in parse_packet_soap leading to + a segfault) . (Remi) + - SPL: . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject). (nielsdos)