php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54911 Access to a undefined member in inherit SoapClient may cause Segmentation Fault
Submitted: 2011-05-23 19:33 UTC Modified: 2011-11-28 14:20 UTC
From: erik at datahack dot se Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.3.6 OS: Linux
Private report: No CVE-ID:
 [2011-05-23 19:33 UTC] erik at datahack dot se
Description:
------------
If you try to access an undefined variable or constant in an extended SoapClient, it will cause PHP crash due to a Segmentation Fault.

Test script:
---------------
<?php
    class XSoapClient extends SoapClient {
        function __doRequest($request, $location, $action, $version) {
            echo self::$crash;
//          echo parent::$crash;
//          echo self::crash;
//          echo parent::crash;
        }   
    }   
    $client = new XSoapClient(null, array('uri'=>'', 'location'=>''));
    $client->__soapCall('', array());
?>

Expected result:
----------------
An error like, Fatal error: Access to undeclared static property: XSoapClient::$crash...

Actual result:
--------------
$ sapi/cli/php ../crash.php 
Segmentation fault

# gdb backtrace...
Starting program: /home/erik/php-5.3.6/sapi/cli/php ../crash.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x0843c238 in zval_delref_p (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h", 
    __zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend.h:385
385		return --pz->refcount__gc;
(gdb) bt
#0  0x0843c238 in zval_delref_p (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h", 
    __zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend.h:385
#1  _zval_ptr_dtor (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h", __zend_lineno=609)
    at /home/erik/php-5.3.6/Zend/zend_execute_API.c:437
#2  0x08479ff8 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (execute_data=0x8920a60) at /home/erik/php-5.3.6/Zend/zend_vm_execute.h:609
#3  0x08478793 in execute (op_array=0x88f2be0) at /home/erik/php-5.3.6/Zend/zend_vm_execute.h:107
#4  0x0844bae6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/erik/php-5.3.6/Zend/zend.c:1194
#5  0x083e102e in php_execute_script (primary_file=0xbffff324) at /home/erik/php-5.3.6/main/main.c:2268
#6  0x08509d35 in main (argc=2, argv=0xbffff4b4) at /home/erik/php-5.3.6/sapi/cli/php_cli.c:1193


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-17 10:29 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2011-09-17 10:29 UTC] laruence@php.net
assign to dmitry.
 [2011-09-17 10:32 UTC] laruence@php.net
and I can also reproduce this with svn-trunk
and after I undef zend_always_inline, got a more clearly bt:
#0  0x00000000009ffe8c in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at 
/home/laruence/opensource/php-src/trunk/Zend/zend.h:391
391     return --pz->refcount__gc;
(gdb) bt
#0  0x00000000009ffe8c in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at 
/home/laruence/opensource/php-src/trunk/Zend/zend.h:391
#1  0x0000000000a00efc in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a, 
    __zend_filename=0xdb2f28 "/home/laruence/opensource/php-
src/trunk/Zend/zend_execute.h", __zend_lineno=339)
    at /home/laruence/opensource/php-src/trunk/Zend/zend_execute.h:82
#2  0x0000000000a0163e in zend_vm_stack_clear_multiple () at 
/home/laruence/opensource/php-src/trunk/Zend/zend_execute.h:339
#3  0x0000000000a050f9 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x2a95fbc0e8)
    at /home/laruence/opensource/php-src/trunk/Zend/zend_vm_execute.h:736
#4  0x0000000000a054c8 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x2a95fbc0e8)
    at /home/laruence/opensource/php-src/trunk/Zend/zend_vm_execute.h:752
#5  0x0000000000a0427c in execute (op_array=0x2a95ff3828) at 
/home/laruence/opensource/php-src/trunk/Zend/zend_vm_execute.h:410
#6  0x00000000009b0c18 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/laruence/opensource/php-src/trunk/Zend/zend.c:1271
#7  0x00000000008ef5aa in php_execute_script (primary_file=0x7fbffff260) at 
/home/laruence/opensource/php-src/trunk/main/main.c:2391
#8  0x0000000000a632c8 in do_cli (argc=2, argv=0x7fbffff548) at 
/home/laruence/opensource/php-src/trunk/sapi/cli/php_cli.c:983
#9  0x0000000000a64169 in main (argc=2, argv=0x7fbffff548) at 
/home/laruence/opensource/php-src/trunk/sapi/cli/php_cli.c:1356
 [2011-11-28 14:20 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=320113
Log: Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault)
 [2011-11-28 14:20 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2011-11-28 14:20 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2ac3a6f26cf554141301c64adf72fd1acb107ae
Log: Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault)
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2ac3a6f26cf554141301c64adf72fd1acb107ae
Log: Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2ac3a6f26cf554141301c64adf72fd1acb107ae
Log: Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 06:02:13 2014 UTC