php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70709 SOAP Client generates Segfault
Submitted: 2015-10-14 03:31 UTC Modified: 2015-10-14 04:16 UTC
From: sergiopaternoster73 at gmail dot com Assigned: laruence
Status: Closed Package: SOAP related
PHP Version: 7.0.0RC4 OS: Ubuntu 14.04.3 LTS
Private report: No CVE-ID:
 [2015-10-14 03:31 UTC] sergiopaternoster73 at gmail dot com
Description:
------------
Force.com SOAP API client generates segfault. Looks like Bug #69293. This works fine with php-7.0.0RC3 though. 

-- Configure options --
configure --prefix=/usr/local/php/7.0.0RC4 --enable-libxml --enable-soap --with-openssl --with-curl=/usr --enable-debug

Test script:
---------------
<?php
require_once ('SforceEnterpriseClient.php');                       		
$mySforceConnection = new SforceEnterpriseClient();
$mySoapClient = $mySforceConnection->createConnection('enterprise.wsdl.xml'); 

try{
 $mylogin = $mySforceConnection->login('wronguid@mydomain.com', 'wrongpwd');
} catch (Exception $e) { 
 echo 'Login Error: ',  $e->getMessage(), "\n"; exit(); 
}

Expected result:
----------------
Login Error: INVALID_LOGIN: Invalid username, password, security token; or user locked out.

-- php-7.0.0RC3 and below give the correct result --

Actual result:
--------------
Core was generated by `/usr/local/php/7.0.0RC4/bin/php -q sfdc.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000007866af in zend_string_realloc (s=0x0, len=665, persistent=0) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_string.h:185
185             if (!ZSTR_IS_INTERNED(s)) {
(gdb) bt
#0  0x00000000007866af in zend_string_realloc (s=0x0, len=665, persistent=0) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_string.h:185
#1  0x000000000078cec9 in get_http_body (stream=0x7fb30d5296c0, close=0,
    headers=0x7fb3164ef018 "HTTP/1.1 500 Server Error\r\nDate: Wed, 14 Oct 2015 03:27:21 GMT\r\nSet-Cookie: BrowserId=LZI5gVgrQTOhnXFwnP8JiA;Path=/;Domain=.salesforce.com;Expires=Sun, 13-Dec-2015 03:27:21 GMT\r\nExpires: Thu, 01 Jan 1"...) at /home/edsradmin/software/php-7.0.0RC4/ext/soap/php_http.c:1422
#2  0x000000000078b5bc in make_http_soap_request (this_ptr=0x7fb316414240, buf=0x7fb31647a180,
    location=0x7fb30d52c2b8 "https://login.salesforce.com/services/Soap/c/27.0", soapaction=0x7fb3164ce418 "", soap_version=1,
    return_value=0x7ffd146416f0) at /home/edsradmin/software/php-7.0.0RC4/ext/soap/php_http.c:1068
#3  0x0000000000772344 in zim_SoapClient___doRequest (execute_data=0x7fb316414220, return_value=0x7ffd146416f0)
    at /home/edsradmin/software/php-7.0.0RC4/ext/soap/soap.c:3121
#4  0x000000000099f073 in zend_call_function (fci=0x7ffd146412b0, fci_cache=0x7ffd146411c0)
    at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_execute_API.c:872
#5  0x000000000099e466 in call_user_function_ex (function_table=0x0, object=0x7fb3164141c0, function_name=0x7ffd14641430, retval_ptr=0x7ffd146416f0,
    param_count=5, params=0x7ffd14641460, no_separation=1, symbol_table=0x0) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_execute_API.c:679
#6  0x000000000099e38d in call_user_function (function_table=0x0, object=0x7fb3164141c0, function_name=0x7ffd14641430, retval_ptr=0x7ffd146416f0,
    param_count=5, params=0x7ffd14641460) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_execute_API.c:661
#7  0x000000000076fccd in do_request (this_ptr=0x7fb3164141c0, request=0x1a7ff20,
    location=0x7fb30d4eaba0 "https://login.salesforce.com/services/Soap/c/27.0", action=0x7fb30d4fb460 "", version=1, one_way=0, response=0x7ffd146416f0)
    at /home/edsradmin/software/php-7.0.0RC4/ext/soap/soap.c:2586
#8  0x0000000000770850 in do_soap_call (execute_data=0x7fb3164141a0, this_ptr=0x7fb3164141c0, function=0x7fb30f16f610 "login", function_len=5,
    arg_count=1, real_args=0x7fb30d52d300, return_value=0x7fb316414180, location=0x7fb30d4eaba0 "https://login.salesforce.com/services/Soap/c/27.0",
    soap_action=0x0, call_uri=0x0, soap_headers=0x0, output_headers=0x0) at /home/edsradmin/software/php-7.0.0RC4/ext/soap/soap.c:2733
#9  0x000000000077198a in zim_SoapClient___call (execute_data=0x7fb3164141a0, return_value=0x7fb316414180)
    at /home/edsradmin/software/php-7.0.0RC4/ext/soap/soap.c:2951
#10 0x0000000000a14db9 in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER () at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_vm_execute.h:1810
#11 0x0000000000a109ca in execute_ex (ex=0x7fb316414030) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_vm_execute.h:414
#12 0x0000000000a10adc in zend_execute (op_array=0x7fb316482000, return_value=0x0) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_vm_execute.h:458
#13 0x00000000009b644b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend.c:1428
#14 0x0000000000923f10 in php_execute_script (primary_file=0x7ffd14644040) at /home/edsradmin/software/php-7.0.0RC4/main/main.c:2471
#15 0x0000000000a74a9e in do_cli (argc=3, argv=0x18e0a20) at /home/edsradmin/software/php-7.0.0RC4/sapi/cli/php_cli.c:971
#16 0x0000000000a75c62 in main (argc=3, argv=0x18e0a20) at /home/edsradmin/software/php-7.0.0RC4/sapi/cli/php_cli.c:1342

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-14 04:16 UTC] laruence@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence
 [2015-10-14 04:16 UTC] laruence@php.net
seems like a simple null pointer dereference, but I can not reproduce it as your reproduce script is not complete, so could you please verify the following patch?

diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index de599b2..005d3af 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -1419,7 +1419,12 @@ static zend_string* get_http_body(php_stream *stream, int close, char *headers)
                                                }
                                                return NULL;
                                        }
-                                   http_buf = zend_string_realloc(http_buf, http_buf_size + buf_size, 0);
+
+                                 if (http_buf) {
+                                         http_buf = zend_string_realloc(http_buf, http_buf_size + buf_size, 0);
+                                 } else {
+                                         http_buf = zend_string_alloc(buf_size, 0);
+                                 }

                                        while (len_size < buf_size) {
                                                int len_read = php_stream_read(stream, http_buf->val + http_buf_size, buf_size - len_size);



thanks
 [2015-10-15 02:14 UTC] sergiopaternoster73 at gmail dot com
Laruence, you are a genius! It works, thank you!!! Tested on 2 different machines. 
Will this patch be included into the next RC?
Many thanks again
Sergio
 [2015-10-15 02:20 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2cfcdfbe9f9ee18388b8ca1d788f43373fec31a
Log: Fixed bug #70709 (SOAP Client generates Segfault)
 [2015-10-15 02:20 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2015-10-25 12:42 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=332cf3cf56921d18ff581fc3fc9ae25f92f79569
Log: Fixed bug #70709 (SOAP Client generates Segfault)
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2cfcdfbe9f9ee18388b8ca1d788f43373fec31a
Log: Fixed bug #70709 (SOAP Client generates Segfault)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Feb 22 15:01:37 2017 UTC