PHP :: Bug #79357 :: SOAP request segfaults when any request parameter is missing

Bug #79357	SOAP request segfaults when any request parameter is missing
Submitted:	2020-03-09 10:13 UTC	Modified:	2020-03-09 13:51 UTC
From:	roman dot vanicek at gmail dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	SOAP related
PHP Version:	7.4.3	OS:	Linux 4.15
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	roman dot vanicek at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2020-03-09 10:13 UTC] roman dot vanicek at gmail dot com

Description:
------------
Any SOAP request crashes (with segfault) when any request parameter is missing.

Normally it should throw an exception  (SOAP-ERROR: Encoding: object has no 'intB' property).

The error is tested on PHP 7.4.0-7.4.3.
It works fine in PHP 7.3.x.
The error happens in shared build of soap module, the static build is fine.

Configure line: --enable-soap=shared --without-sqlite3 --without-pdo-sqlite

GDB output: 
Program received signal SIGSEGV, Segmentation fault.
0x0000555555ad9e77 in zend_gc_delref (p=0x61445b0a0a6e4f20)
    at /var/roman/src/php/php-7.4.3/Zend/zend_types.h:1039
1039            ZEND_ASSERT(p->refcount > 0);
(gdb) bt
#0  0x0000555555ad9e77 in zend_gc_delref (p=0x61445b0a0a6e4f20)
    at /var/roman/src/php/php-7.4.3/Zend/zend_types.h:1039
#1  0x0000555555ad9fec in zval_delref_p (pz=0x7ffff3e140e0)
    at /var/roman/src/php/php-7.4.3/Zend/zend_types.h:1075
#2  0x0000555555ada765 in zval_ptr_dtor_nogc (zval_ptr=0x7ffff3e140e0)
    at /var/roman/src/php/php-7.4.3/Zend/zend_variables.h:34
#3  0x0000555555aeece9 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER ()
    at /var/roman/src/php/php-7.4.3/Zend/zend_vm_execute.h:2615
#4  0x0000555555b50afc in execute_ex (ex=0x7ffff3e14020)
    at /var/roman/src/php/php-7.4.3/Zend/zend_vm_execute.h:53889
#5  0x0000555555b54ad0 in zend_execute (op_array=0x7ffff3e84300, return_value=0x0)
    at /var/roman/src/php/php-7.4.3/Zend/zend_vm_execute.h:57913
#6  0x0000555555a779f5 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /var/roman/src/php/php-7.4.3/Zend/zend.c:1665
#7  0x00005555559d6713 in php_execute_script (primary_file=0x7fffffffca60)
    at /var/roman/src/php/php-7.4.3/main/main.c:2617
#8  0x0000555555b5760f in do_cli (argc=2, argv=0x55555678a500)
    at /var/roman/src/php/php-7.4.3/sapi/cli/php_cli.c:961
#9  0x0000555555b587d1 in main (argc=2, argv=0x55555678a500)
    at /var/roman/src/php/php-7.4.3/sapi/cli/php_cli.c:1356


Test script:
---------------
<?php

ini_set('soap.wsdl_cache_enabled',0);
ini_set('soap.wsdl_cache_ttl',0);

$sc = new SoapClient('http://www.dneonline.com/calculator.asmx?WSDL');
// parameter intB is missing
$res = $sc->Add(['intA'=>1]);
// PHP 7.3 throws exception: SOAP-ERROR: Encoding: object has no 'intB' property
// PHP 7.4 (shared soap) segfaults
var_dump($res);


Expected result:
----------------
Exception: SOAP-ERROR: Encoding: object has no 'intB' property

Actual result:
--------------
Segfault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-03-09 10:30 UTC] nikic@php.net

-Status: Open +Status: Verified

[2020-03-09 10:30 UTC] nikic@php.net

Valgrind:

==21080== Conditional jump or move depends on uninitialised value(s)
==21080==    at 0x9A194F: zval_ptr_dtor_nogc (zend_variables.h:34)
==21080==    by 0x9B5F34: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:2615)
==21080==    by 0xA17DB9: execute_ex (zend_vm_execute.h:53889)
==21080==    by 0xA1BD88: zend_execute (zend_vm_execute.h:57913)
==21080==    by 0x93EFD7: zend_execute_scripts (zend.c:1665)
==21080==    by 0x8A0781: php_execute_script (main.c:2617)
==21080==    by 0xA1E99C: do_cli (php_cli.c:961)
==21080==    by 0xA1FB6C: main (php_cli.c:1356)

[2020-03-09 13:51 UTC] nikic@php.net

-Assigned To: +Assigned To: nikic

[2020-03-09 14:02 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=760faa12b20db56bd3e2faab8d658f622af7da6a
Log: Fixed bug #79357

[2020-03-09 14:02 UTC] nikic@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC