php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76476 Segmentation fault in zim_SoapServer_handle
Submitted: 2018-06-14 11:03 UTC Modified: 2021-04-04 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dnt at gmx dot com Assigned: cmb (profile)
Status: No Feedback Package: SOAP related
PHP Version: 7.2.6 OS: Arch Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dnt at gmx dot com
New email:
PHP Version: OS:

 

 [2018-06-14 11:03 UTC] dnt at gmx dot com 
Description:
------------
I get a segmentation fault in zim_SoapServer_handle under PHP 7.2.6. The script runs with PHP 5.3 to 5.6. This is the result of running the script with USE_ZEND_ALLOC=0 valgrind --tool=memcheck --leak-check=no --track-origins=yes --num-callers=30 --show-reachable=no:

==25782== Conditional jump or move depends on uninitialised value(s)
==25782==    at 0x403F647: ???
==25782==    by 0xF169A77: ???
==25782==    by 0xF169A77: ???
==25782==    by 0xF169A80: ???
==25782==    by 0x1FFEFFB54F: ???
==25782==  Uninitialised value was created by a heap allocation
==25782==    at 0x4C2CEDF: malloc (vg_replace_malloc.c:299)
==25782==    by 0x6EDE9F: __zend_malloc (zend_alloc.c:2829)
==25782==    by 0x6ED16A: _emalloc (zend_alloc.c:2429)
==25782==    by 0x5C8939: zend_string_alloc (zend_string.h:134)
==25782==    by 0x5C8A75: zend_string_init (zend_string.h:170)
==25782==    by 0x5CA9DC: zif_parse_url (url.c:399)
==25782==    by 0x78E3E0: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:816)
==25782==    by 0x814CBB: execute_ex (zend_vm_execute.h:59746)
==25782==    by 0x70E380: zend_call_function (zend_execute_API.c:819)
==25782==    by 0x4733A8: reflection_method_invoke (php_reflection.c:3221)
==25782==    by 0x47357C: zim_reflection_method_invokeArgs (php_reflection.c:3257)
==25782==    by 0x78EF0D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1032)
==25782==    by 0x814CD5: execute_ex (zend_vm_execute.h:59752)
==25782==    by 0x81A08A: zend_execute (zend_vm_execute.h:63760)
==25782==    by 0x728B7C: zend_execute_scripts (zend.c:1496)
==25782==    by 0x68BCC6: php_execute_script (main.c:2590)
==25782==    by 0x81CCC9: do_cli (php_cli.c:1011)
==25782==    by 0x81DEE1: main (php_cli.c:1404)
==25782== 
==25782== Invalid read of size 8
==25782==    at 0x49E3C3: zim_SoapServer_handle (soap.c:1804)
==25782==    by 0x78E8C9: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:907)
==25782==    by 0x814CC8: execute_ex (zend_vm_execute.h:59749)
==25782==    by 0x70E380: zend_call_function (zend_execute_API.c:819)
==25782==    by 0x4733A8: reflection_method_invoke (php_reflection.c:3221)
==25782==    by 0x47357C: zim_reflection_method_invokeArgs (php_reflection.c:3257)
==25782==    by 0x78EF0D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1032)
==25782==    by 0x814CD5: execute_ex (zend_vm_execute.h:59752)
==25782==    by 0x81A08A: zend_execute (zend_vm_execute.h:63760)
==25782==    by 0x728B7C: zend_execute_scripts (zend.c:1496)
==25782==    by 0x68BCC6: php_execute_script (main.c:2590)
==25782==    by 0x81CCC9: do_cli (php_cli.c:1011)
==25782==    by 0x81DEE1: main (php_cli.c:1404)
==25782==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==25782== 
==25782== 
==25782== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==25782==  Access not within mapped region at address 0x10
==25782==    at 0x49E3C3: zim_SoapServer_handle (soap.c:1804)
==25782==    by 0x78E8C9: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:907)
==25782==    by 0x814CC8: execute_ex (zend_vm_execute.h:59749)
==25782==    by 0x70E380: zend_call_function (zend_execute_API.c:819)
==25782==    by 0x4733A8: reflection_method_invoke (php_reflection.c:3221)
==25782==    by 0x47357C: zim_reflection_method_invokeArgs (php_reflection.c:3257)
==25782==    by 0x78EF0D: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1032)
==25782==    by 0x814CD5: execute_ex (zend_vm_execute.h:59752)
==25782==    by 0x81A08A: zend_execute (zend_vm_execute.h:63760)
==25782==    by 0x728B7C: zend_execute_scripts (zend.c:1496)
==25782==    by 0x68BCC6: php_execute_script (main.c:2590)
==25782==    by 0x81CCC9: do_cli (php_cli.c:1011)
==25782==    by 0x81DEE1: main (php_cli.c:1404)
==25782==  If you believe this happened as a result of a stack
==25782==  overflow in your program's main thread (unlikely but
==25782==  possible), you can try to increase the size of the
==25782==  main thread stack using the --main-stacksize= flag.
==25782==  The main thread stack size used in this run was 8388608.
==25782== 
==25782== HEAP SUMMARY:
==25782==     in use at exit: 21,865,125 bytes in 130,847 blocks
==25782==   total heap usage: 412,679 allocs, 281,832 frees, 111,220,670 bytes allocated
==25782== 
==25782== For a detailed leak analysis, rerun with: --leak-check=full
==25782== 
==25782== For counts of detected and suppressed errors, rerun with: -v
==25782== ERROR SUMMARY: 5 errors from 2 contexts (suppressed: 0 from 0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-18 15:27 UTC] dnt at gmx dot gom 
The problem arises when SoapServer::addSoapHeader() is called when handling the received SOAP header. Some sample service:

class MySoapService
{
    private $server;

    public function __construct(\SoapServer $server)
    {
        $this->server = $server;
        $server->setObject($this);
    }

    public function MyHeader($header)
    {
        $this->server->addSoapHeader(new \SoapHeader("ns", "MyHeader"));
    }
    
    public function MyRequest($request)
    {
        // this method is not reached
    }
}
 [2021-03-23 14:29 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-03-23 14:29 UTC] cmb@php.net 
This might not be particularly related to SOAP, but more of
general memory mismanagement issue.  Anyhow, does this still
happen to you with any of the actively supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-04-04 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 10:01:31 2024 UTC