php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76476 Segmentation fault in zim_SoapServer_handle
Submitted: 2018-06-14 11:03 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dnt at gmx dot com Assigned:
Status: Open Package: SOAP related
PHP Version: 7.2.6 OS: Arch Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dnt at gmx dot com
New email:
PHP Version: OS:

 

 [2018-06-14 11:03 UTC] dnt at gmx dot com
Description:
------------
I get a segmentation fault in zim_SoapServer_handle under PHP 7.2.6. The script runs with PHP 5.3 to 5.6. This is the result of running the script with USE_ZEND_ALLOC=0 valgrind --tool=memcheck --leak-check=no --track-origins=yes --num-callers=30 --show-reachable=no:

==25782== Conditional jump or move depends on uninitialised value(s)
==25782==    at 0x403F647: ???
==25782==    by 0xF169A77: ???
==25782==    by 0xF169A77: ???
==25782==    by 0xF169A80: ???
==25782==    by 0x1FFEFFB54F: ???
==25782==  Uninitialised value was created by a heap allocation
==25782==    at 0x4C2CEDF: malloc (vg_replace_malloc.c:299)
==25782==    by 0x6EDE9F: __zend_malloc (zend_alloc.c:2829)
==25782==    by 0x6ED16A: _emalloc (zend_alloc.c:2429)
==25782==    by 0x5C8939: zend_string_alloc (zend_string.h:134)
==25782==    by 0x5C8A75: zend_string_init (zend_string.h:170)
==25782==    by 0x5CA9DC: zif_parse_url (url.c:399)
==25782==    by 0x78E3E0: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:816)
==25782==    by 0x814CBB: execute_ex (zend_vm_execute.h:59746)
==25782==    by 0x70E380: zend_call_function (zend_execute_API.c:819)
==25782==    by 0x4733A8: reflection_method_invoke (php_reflection.c:3221)
==25782==    by 0x47357C: zim_reflection_method_invokeArgs (php_reflection.c:3257)
==25782==    by 0x78EF0D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1032)
==25782==    by 0x814CD5: execute_ex (zend_vm_execute.h:59752)
==25782==    by 0x81A08A: zend_execute (zend_vm_execute.h:63760)
==25782==    by 0x728B7C: zend_execute_scripts (zend.c:1496)
==25782==    by 0x68BCC6: php_execute_script (main.c:2590)
==25782==    by 0x81CCC9: do_cli (php_cli.c:1011)
==25782==    by 0x81DEE1: main (php_cli.c:1404)
==25782== 
==25782== Invalid read of size 8
==25782==    at 0x49E3C3: zim_SoapServer_handle (soap.c:1804)
==25782==    by 0x78E8C9: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:907)
==25782==    by 0x814CC8: execute_ex (zend_vm_execute.h:59749)
==25782==    by 0x70E380: zend_call_function (zend_execute_API.c:819)
==25782==    by 0x4733A8: reflection_method_invoke (php_reflection.c:3221)
==25782==    by 0x47357C: zim_reflection_method_invokeArgs (php_reflection.c:3257)
==25782==    by 0x78EF0D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1032)
==25782==    by 0x814CD5: execute_ex (zend_vm_execute.h:59752)
==25782==    by 0x81A08A: zend_execute (zend_vm_execute.h:63760)
==25782==    by 0x728B7C: zend_execute_scripts (zend.c:1496)
==25782==    by 0x68BCC6: php_execute_script (main.c:2590)
==25782==    by 0x81CCC9: do_cli (php_cli.c:1011)
==25782==    by 0x81DEE1: main (php_cli.c:1404)
==25782==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==25782== 
==25782== 
==25782== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==25782==  Access not within mapped region at address 0x10
==25782==    at 0x49E3C3: zim_SoapServer_handle (soap.c:1804)
==25782==    by 0x78E8C9: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:907)
==25782==    by 0x814CC8: execute_ex (zend_vm_execute.h:59749)
==25782==    by 0x70E380: zend_call_function (zend_execute_API.c:819)
==25782==    by 0x4733A8: reflection_method_invoke (php_reflection.c:3221)
==25782==    by 0x47357C: zim_reflection_method_invokeArgs (php_reflection.c:3257)
==25782==    by 0x78EF0D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1032)
==25782==    by 0x814CD5: execute_ex (zend_vm_execute.h:59752)
==25782==    by 0x81A08A: zend_execute (zend_vm_execute.h:63760)
==25782==    by 0x728B7C: zend_execute_scripts (zend.c:1496)
==25782==    by 0x68BCC6: php_execute_script (main.c:2590)
==25782==    by 0x81CCC9: do_cli (php_cli.c:1011)
==25782==    by 0x81DEE1: main (php_cli.c:1404)
==25782==  If you believe this happened as a result of a stack
==25782==  overflow in your program's main thread (unlikely but
==25782==  possible), you can try to increase the size of the
==25782==  main thread stack using the --main-stacksize= flag.
==25782==  The main thread stack size used in this run was 8388608.
==25782== 
==25782== HEAP SUMMARY:
==25782==     in use at exit: 21,865,125 bytes in 130,847 blocks
==25782==   total heap usage: 412,679 allocs, 281,832 frees, 111,220,670 bytes allocated
==25782== 
==25782== For a detailed leak analysis, rerun with: --leak-check=full
==25782== 
==25782== For counts of detected and suppressed errors, rerun with: -v
==25782== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 0 from 0)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-18 15:27 UTC] dnt at gmx dot gom
The problem arises when SoapServer::addSoapHeader() is called when handling the received SOAP header. Some sample service:

class MySoapService
{
    private $server;

    public function __construct(\SoapServer $server)
    {
        $this->server = $server;
        $server->setObject($this);
    }

    public function MyHeader($header)
    {
        $this->server->addSoapHeader(new \SoapHeader("ns", "MyHeader"));
    }
    
    public function MyRequest($request)
    {
        // this method is not reached
    }
}
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Feb 20 21:01:27 2020 UTC