PHP :: Bug #70032 :: make_http_soap_request calls zend_hash_get_current_key

Bug #70032	make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL)
Submitted:	2015-07-09 06:50 UTC	Modified:	2015-07-09 08:41 UTC
From:	turchanov at farpost dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	SOAP related
PHP Version:	7.0.0alpha2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	turchanov at farpost dot com
New email:
PHP Version:		OS:

New Comment:

[2015-07-09 06:50 UTC] turchanov at farpost dot com

Description:
------------
make_http_soap_request at php_http.c:817 makes a call
...
zend_hash_get_current_key_ex(Z_ARRVAL_P(cookies), &key, NULL, NULL);
...

But implementation of zend_hash_get_current_key_ex does dereferencing of 'pos' parameter without checking it is not NULL:

ZEND_API int ZEND_FASTCALL zend_hash_get_current_key_ex(const HashTable *ht, zend_string **str_index, zend_ulong *num_index, HashPosition *pos)
{
        uint32_t idx = *pos;  /* !!!!!! */

in php 5.6.x the same function does checking:
ZEND_API int zend_hash_get_current_key_ex(const HashTable *ht, char **str_index, uint *str_length, ulong *num_index, zend_bool duplicate, HashPosition *pos)
{
        Bucket *p;
        p = pos ? (*pos) : ht->pInternalPointer;


Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  zend_hash_get_current_key_ex (ht=0x7f908a4a04d0, str_index=0x7fff0b8eee40, num_index=0x0, pos=0x0) at /usr/src/debug/php-src-master/Zend/zend_hash.c:2032
2032		uint32_t idx = *pos;

(gdb) bt
#0  zend_hash_get_current_key_ex (ht=0x7f908a4a04d0, str_index=0x7fff0b8eee40, num_index=0x0, pos=0x0) at /usr/src/debug/php-src-master/Zend/zend_hash.c:2032
#1  0x00000000006fb368 in make_http_soap_request (this_ptr=<value optimized out>, 
    buf=0x7f908a3f9318 "<?xml version=\"1.0\""..., buf_size=<value optimized out>, location=<value optimized out>, 
    soapaction=<value optimized out>, soap_version=1, return_value=0x7f909d815050) at /usr/src/debug/php-src-master/ext/soap/php_http.c:817

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-09 07:36 UTC] kalle@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: laruence

[2015-07-09 07:36 UTC] kalle@php.net

Xinchen, I'm assigning this to you, I'm not sure whether or not you want the internal hash API to change or the usage of zend_hash_get_current_key_ex().

Turchanov at farpost dot com, if you got an example/test case, could you please attach it to this bug report?

[2015-07-09 08:18 UTC] turchanov at farpost dot com

> Turchanov at farpost dot com, if you got an example/test case, could you please attach it to this bug report?

I doubt it mostly due to the necessity to have a separate SOAP server which uses(!) cookies as the code in question at php_http.c:817 appends client cookies to HTTP request headers (... and fails with the segfault).

[2015-07-09 08:41 UTC] laruence@php.net

this should be fixed by using zend_hash_get_current_key instead..

thanks

[2015-07-09 08:41 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0de0c4ace14437071fb8a8690f387a63c0c48003
Log: Fixed Bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL))

[2015-07-09 08:41 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2015-07-21 14:21 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0de0c4ace14437071fb8a8690f387a63c0c48003
Log: Fixed Bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL))

[2016-07-20 11:37 UTC] davey@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0de0c4ace14437071fb8a8690f387a63c0c48003
Log: Fixed Bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL))

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC