php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66049 Typemap can break parsing in parse_packet_soap leading to a segfault
Submitted: 2013-11-07 17:55 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: martin dot koegler at brz dot gv dot at Assigned:
Status: Open Package: SOAP related
PHP Version: 5.5.5 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: martin dot koegler at brz dot gv dot at
New email:
PHP Version: OS:

 

 [2013-11-07 17:55 UTC] martin dot koegler at brz dot gv dot at
Description:
------------
parse_packet_soap extracts various data from the response with the following sequence:
zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
faultstring = Z_STRVAL_P(zv);

It assumes, that zv contains a string, but a typemap allow master_to_zval to return a different type. 
Accessing that a different type as string usually least to a segfault via
parse_packet_soap => add_soap_fault => set_soap_fault => add_property_string_ex => crash in strlen

Easiest workaround is to force the string data type via convert_to_string_ex(&zv); before accessing Z_STRVAL_P(zv).


Test script:
---------------
Take any wsdl as test.wsdl and point it to server.php as URL. Adapt client.php to call a existing operation of the wsdl:

client.php:
<?php

function soap_string_from_xml($str)
{ return new stdClass(); }

$client=new soapclient("test.wsdl", array('typemap'=>array(
      array("type_ns"=>"http://www.w3.org/2001/XMLSchema", "type_name"=>"string", "from_xml"=>"soap_string_from_xml")
      )));
$client->Mist("");
?>

server.php:
<?php header("Content-Type: text/xml"); header("HTTP/1.0 500 Internal Error");?>
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>not present</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-08 17:54 UTC] martin dot koegler at brz dot gv dot at
Workaround:
--- php-5.5.5/ext/soap/php_packet_soap.c.orig   2013-11-08 13:47:42.100530545 +0100
+++ php-5.5.5/ext/soap/php_packet_soap.c        2013-11-08 13:49:00.252852632 +0100
@@ -192,6 +192,7 @@
                        tmp = get_node(fault->children, "faultstring");
                        if (tmp != NULL && tmp->children != NULL) {
                                zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
+                               convert_to_string_ex(&zv);
                                faultstring = Z_STRVAL_P(zv);
                                FREE_ZVAL(zv);
                        }
@@ -199,6 +200,7 @@
                        tmp = get_node(fault->children, "faultactor");
                        if (tmp != NULL && tmp->children != NULL) {
                                zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
+                               convert_to_string_ex(&zv);
                                faultactor = Z_STRVAL_P(zv);
                                FREE_ZVAL(zv);
                        }
@@ -222,6 +224,7 @@
                                tmp = get_node(tmp->children,"Text");
                                if (tmp != NULL && tmp->children != NULL) {
                                        zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
+                                       convert_to_string_ex(&zv);
                                        faultstring = Z_STRVAL_P(zv);
                                        FREE_ZVAL(zv);
                                }
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jan 15 14:01:30 2025 UTC