archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 13:38:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  Fix GH-18640: heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref
This commit is contained in:
Niels Dossche 2025-07-20 19:50:01 +02:00
commit d7f9caf37c
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
2 changed files with 56 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
ext/soap/php_encoding.c
View file

@ -1924,6 +1924,11 @@ static xmlNodePtr to_xml_object(encodeTypePtr type, zval *data, int style, xmlNo
sdlAttributePtr attr; sdlAttributePtr attr;
zval *zattr, rv; zval *zattr, rv;
/* Attributes can't refer to other attributes as there's nothing to attach the href to. */
HashTable **ref_map = &SOAP_GLOBAL(ref_map);
HashTable *old_ref_map = *ref_map;
*ref_map = NULL;
ZEND_HASH_FOREACH_PTR(sdlType->attributes, attr) { ZEND_HASH_FOREACH_PTR(sdlType->attributes, attr) {
if (attr->name) { if (attr->name) {
zattr = get_zval_property(data, attr->name, &rv); zattr = get_zval_property(data, attr->name, &rv);
@ -1953,6 +1958,8 @@ static xmlNodePtr to_xml_object(encodeTypePtr type, zval *data, int style, xmlNo
} }
} }
} ZEND_HASH_FOREACH_END(); } ZEND_HASH_FOREACH_END();
*ref_map = old_ref_map;
} }
} }
if (style == SOAP_ENCODED) { if (style == SOAP_ENCODED) {
@ -3055,6 +3062,12 @@ static xmlNodePtr to_xml_list(encodeTypePtr enc, zval *data, int style, xmlNodeP
ret = xmlNewDocNode(parent->doc, NULL, BAD_CAST("BOGUS"), NULL); ret = xmlNewDocNode(parent->doc, NULL, BAD_CAST("BOGUS"), NULL);
xmlAddChild(parent, ret); xmlAddChild(parent, ret);
FIND_ZVAL_NULL(data, ret, style); FIND_ZVAL_NULL(data, ret, style);
/* Literals are unique and can't refer to other references via attributes. */
HashTable **ref_map = &SOAP_GLOBAL(ref_map);
HashTable *old_ref_map = *ref_map;
*ref_map = NULL;
if (Z_TYPE_P(data) == IS_ARRAY) { if (Z_TYPE_P(data) == IS_ARRAY) {
zval *tmp; zval *tmp;
smart_str list = {0}; smart_str list = {0};
@ -3129,6 +3142,7 @@ static xmlNodePtr to_xml_list(encodeTypePtr enc, zval *data, int style, xmlNodeP
zval_ptr_dtor_str(&tmp); zval_ptr_dtor_str(&tmp);
} }
} }
*ref_map = old_ref_map;
return ret; return ret;
} }

42
ext/soap/tests/bugs/gh18640.phpt Normal file
View file

@ -0,0 +1,42 @@
--TEST---
GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref)
--EXTENSIONS--
soap
--CREDITS--
YuanchengJiang
--FILE--
<?php
$wsdl = __DIR__."/bug35142.wsdl";
class TestSoapClient extends SoapClient {
function __doRequest($request, $location, $action, $version, $one_way = 0): ?string {
var_dump($request);
return '';
}
}
$soapClient = new TestSoapClient($wsdl, ['trace' => 1, 'classmap' => ['logOnEvent' => 'LogOnEvent', 'events' => 'IVREvents']]);
$timestamp = new LogOnEvent(); // Bogus!
$logOffEvents[] = new LogOffEvent($timestamp);
$logOffEvents[] = new LogOffEvent($timestamp);
$ivrEvents = new IVREvents($logOffEvents);
$result = $soapClient->PostEvents($ivrEvents);
class LogOffEvent {
function __construct(public $timestamp) {
$this->timestamp = $timestamp;
}
}
class LogOnEvent {
}
class IVREvents {
function __construct(public $logOffEvent) {
}
}
?>
--EXPECT--
string(359) "<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://testurl/Events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns2="http://testurl/Message"><SOAP-ENV:Body><ns2:ivrEvents><ns2:logOffEvent/><ns2:logOffEvent/></ns2:ivrEvents></SOAP-ENV:Body></SOAP-ENV:Envelope>
"