php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70032 make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL)
Submitted: 2015-07-09 06:50 UTC Modified: 2015-07-09 08:41 UTC
From: turchanov at farpost dot com Assigned: laruence
Status: Closed Package: SOAP related
PHP Version: 7.0.0alpha2 OS: Linux
Private report: No CVE-ID:
 [2015-07-09 06:50 UTC] turchanov at farpost dot com
Description:
------------
make_http_soap_request at php_http.c:817 makes a call
...
zend_hash_get_current_key_ex(Z_ARRVAL_P(cookies), &key, NULL, NULL);
...

But implementation of zend_hash_get_current_key_ex does dereferencing of 'pos' parameter without checking it is not NULL:

ZEND_API int ZEND_FASTCALL zend_hash_get_current_key_ex(const HashTable *ht, zend_string **str_index, zend_ulong *num_index, HashPosition *pos)
{
        uint32_t idx = *pos;  /* !!!!!! */

in php 5.6.x the same function does checking:
ZEND_API int zend_hash_get_current_key_ex(const HashTable *ht, char **str_index, uint *str_length, ulong *num_index, zend_bool duplicate, HashPosition *pos)
{
        Bucket *p;
        p = pos ? (*pos) : ht->pInternalPointer;


Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  zend_hash_get_current_key_ex (ht=0x7f908a4a04d0, str_index=0x7fff0b8eee40, num_index=0x0, pos=0x0) at /usr/src/debug/php-src-master/Zend/zend_hash.c:2032
2032		uint32_t idx = *pos;

(gdb) bt
#0  zend_hash_get_current_key_ex (ht=0x7f908a4a04d0, str_index=0x7fff0b8eee40, num_index=0x0, pos=0x0) at /usr/src/debug/php-src-master/Zend/zend_hash.c:2032
#1  0x00000000006fb368 in make_http_soap_request (this_ptr=<value optimized out>, 
    buf=0x7f908a3f9318 "<?xml version=\"1.0\""..., buf_size=<value optimized out>, location=<value optimized out>, 
    soapaction=<value optimized out>, soap_version=1, return_value=0x7f909d815050) at /usr/src/debug/php-src-master/ext/soap/php_http.c:817


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-09 07:36 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: laruence
 [2015-07-09 07:36 UTC] kalle@php.net
Xinchen, I'm assigning this to you, I'm not sure whether or not you want the internal hash API to change or the usage of zend_hash_get_current_key_ex().

Turchanov at farpost dot com, if you got an example/test case, could you please attach it to this bug report?
 [2015-07-09 08:18 UTC] turchanov at farpost dot com
> Turchanov at farpost dot com, if you got an example/test case, could you please attach it to this bug report?

I doubt it mostly due to the necessity to have a separate SOAP server which uses(!) cookies as the code in question at php_http.c:817 appends client cookies to HTTP request headers (... and fails with the segfault).
 [2015-07-09 08:41 UTC] laruence@php.net
this should be fixed by using zend_hash_get_current_key instead..

thanks
 [2015-07-09 08:41 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0de0c4ace14437071fb8a8690f387a63c0c48003
Log: Fixed Bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL))
 [2015-07-09 08:41 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-07-21 14:21 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0de0c4ace14437071fb8a8690f387a63c0c48003
Log: Fixed Bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL))
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0de0c4ace14437071fb8a8690f387a63c0c48003
Log: Fixed Bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL))
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC