php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42736 XMLRPC causes crash in zend_hash.c
Submitted: 2007-09-22 19:41 UTC Modified: 2007-11-12 11:25 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: edman007 at edman007 dot com Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID:
 [2007-09-22 19:41 UTC] edman007 at edman007 dot com
Description:
------------
This request combination with the classes defined causes PHP to crash, 
strangely it does not crash when the SOAP_Array class does not exist, 
even though that class is never used in this script

Reproduce code:
---------------
<?php
class SOAP_Array {
    public function get($id){
	return $this->add($id);
    }
}

$xml = xmlrpc_server_create();

$Myrequest = '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>GetProducts</methodName><params><param><value><dateTime.iso8601>20060922T14:26:19</dateTime.iso8601></value></param></params></methodCall>';

class MyClass {
function GetProducts($dummy, $time){
	return array('faultString' => $time);
}
}
$myclass =  new MyClass();
xmlrpc_server_register_method($xml, 'GetProducts', array($myclass, 'GetProducts'));
$response = xmlrpc_server_call_method($xml, $Myrequest, null);
header('Content-type: text/xml');
echo $response;

?>

Expected result:
----------------
Not crash

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216215360 (LWP 23402)]
zend_hash_get_current_key_ex (ht=0x3, str_index=0xbfa7d194, 
str_length=0x0, num_index=0x3, duplicate=0 '\0', pos=0x3)
    at /home/edman007/php-upgrade/php-5.2.4/Zend/zend_hash.c:1116
1116                    if (p->nKeyLength) {
(gdb) bt
#0  zend_hash_get_current_key_ex (ht=0x3, str_index=0xbfa7d194, 
str_length=0x0, num_index=0x3, duplicate=0 '\0', pos=0x3)
    at /home/edman007/php-upgrade/php-5.2.4/Zend/zend_hash.c:1116
#1  0x082fa474 in determine_vector_type (ht=0xb77ecb7c) at 
/home/edman007/php-upgrade/php-5.2.4/ext/xmlrpc/xmlrpc-epi-php.c:439
#2  0x082fa676 in PHP_to_XMLRPC_worker (key=0xb77eced8 "faultString", 
in_val=0xb77ecb00, depth=0)
    at /home/edman007/php-upgrade/php-5.2.4/ext/xmlrpc/xmlrpc-epi-
php.c:515
#3  0x082fa723 in PHP_to_XMLRPC_worker (key=0x0, in_val=0xb77ecb00, 
depth=1)
    at /home/edman007/php-upgrade/php-5.2.4/ext/xmlrpc/xmlrpc-epi-
php.c:534
#4  0x082fa7e3 in PHP_to_XMLRPC (root_val=0xb77ecb54) at 
/home/edman007/php-upgrade/php-5.2.4/ext/xmlrpc/xmlrpc-epi-php.c:555
#5  0x082fbb28 in zif_xmlrpc_server_call_method (ht=-1216427508, 
return_value=0xb77eb360, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=1) at /home/edman007/php-upgrade/php-
5.2.4/ext/xmlrpc/xmlrpc-epi-php.c:1090
#6  0x08366613 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfa7d4b0) at zend_vm_execute.h:200
#7  0x08365dd9 in execute (op_array=0xb77ea868) at 
zend_vm_execute.h:92
#8  0x0834a4a1 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/edman007/php-upgrade/php-5.2.4/Zend/zend.c:1134
#9  0x0830bbaf in php_execute_script (primary_file=0xbfa7f850) at 
/home/edman007/php-upgrade/php-5.2.4/main/main.c:1982
#10 0x083c59d6 in main (argc=2, argv=0xbfa7f924) at 
/home/edman007/php-upgrade/php-5.2.4/sapi/cli/php_cli.c:1140




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-12 11:25 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 03:02:42 2014 UTC