PHP :: Bug #66049 :: Typemap can break parsing in parse_packet

Bug #66049

Typemap can break parsing in parse_packet_soap leading to a segfault

Submitted:

2013-11-07 17:55 UTC

Modified:

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

martin dot koegler at brz dot gv dot at

Assigned:

Status:

Open

Package:

SOAP related

PHP Version:

5.5.5

OS:

Any

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	martin dot koegler at brz dot gv dot at
New email:
PHP Version:		OS:

New Comment:

[2013-11-07 17:55 UTC] martin dot koegler at brz dot gv dot at

Description:
------------
parse_packet_soap extracts various data from the response with the following sequence:
zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
faultstring = Z_STRVAL_P(zv);

It assumes, that zv contains a string, but a typemap allow master_to_zval to return a different type. 
Accessing that a different type as string usually least to a segfault via
parse_packet_soap => add_soap_fault => set_soap_fault => add_property_string_ex => crash in strlen

Easiest workaround is to force the string data type via convert_to_string_ex(&zv); before accessing Z_STRVAL_P(zv).


Test script:
---------------
Take any wsdl as test.wsdl and point it to server.php as URL. Adapt client.php to call a existing operation of the wsdl:

client.php:
<?php

function soap_string_from_xml($str)
{ return new stdClass(); }

$client=new soapclient("test.wsdl", array('typemap'=>array(
      array("type_ns"=>"http://www.w3.org/2001/XMLSchema", "type_name"=>"string", "from_xml"=>"soap_string_from_xml")
      )));
$client->Mist("");
?>

server.php:
<?php header("Content-Type: text/xml"); header("HTTP/1.0 500 Internal Error");?>
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>not present</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-11-08 17:54 UTC] martin dot koegler at brz dot gv dot at

Workaround:
--- php-5.5.5/ext/soap/php_packet_soap.c.orig   2013-11-08 13:47:42.100530545 +0100
+++ php-5.5.5/ext/soap/php_packet_soap.c        2013-11-08 13:49:00.252852632 +0100
@@ -192,6 +192,7 @@
                        tmp = get_node(fault->children, "faultstring");
                        if (tmp != NULL && tmp->children != NULL) {
                                zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
+                               convert_to_string_ex(&zv);
                                faultstring = Z_STRVAL_P(zv);
                                FREE_ZVAL(zv);
                        }
@@ -199,6 +200,7 @@
                        tmp = get_node(fault->children, "faultactor");
                        if (tmp != NULL && tmp->children != NULL) {
                                zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
+                               convert_to_string_ex(&zv);
                                faultactor = Z_STRVAL_P(zv);
                                FREE_ZVAL(zv);
                        }
@@ -222,6 +224,7 @@
                                tmp = get_node(tmp->children,"Text");
                                if (tmp != NULL && tmp->children != NULL) {
                                        zval *zv = master_to_zval(get_conversion(IS_STRING), tmp TSRMLS_CC);
+                                       convert_to_string_ex(&zv);
                                        faultstring = Z_STRVAL_P(zv);
                                        FREE_ZVAL(zv);
                                }

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 15 17:01:31 2025 UTC