php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77141 Signedness issue in SOAP when precision=-1
Submitted: 2018-11-12 15:40 UTC Modified: 2018-11-12 22:16 UTC
From: lukasz dot jedrzejowski at adition dot com Assigned: cmb (profile)
Status: Closed Package: SOAP related
PHP Version: 7.1.24 OS: Debian GNU/Linux 9.5 (stretch)
Private report: No CVE-ID: None
 [2018-11-12 15:40 UTC] lukasz dot jedrzejowski at adition dot com
Description:
------------
Reproduced in:
- 7.1.23-2+0~20181015120514.8+stretch~1.gbpab65a0 (used this one as the nearest reported affected version).
- 7.2.10-0ubuntu0.18.04.1
- 7.2.11-4+0~20181106031630.10+stretch~1.gbp789850
but worked correctly in:
- 5.6.24-0+deb8u1

Using -1 "precision" ini-setting on either SOAP request or response when passing a float results in a fatal error: "Possible integer overflow in memory allocation".
Using other precision settings affects the string representation of passed floats as expected.

Although I've tested it manually on the SoapServer too, I'm providing the easier client side steps to reproduce.

Test script was executed by running /tmp/test.php in cli mode.

Test script:
---------------
$soap = new \SoapClient(
    null,
    array(
        'location' => "http://localhost/soap.php",
        'uri' => "http://localhost/",
        'style' => SOAP_RPC,
        'trace' => true,
        'exceptions' => true,
    )
);
ini_set('precision', -1);
try {
    $soap->call(1.1);
} finally {
    echo $soap->__getLastRequest();
}

Expected result:
----------------
Expected to see the traced SOAP request with float represented as string according to the set precision (for -1 precision the float 1.1 should be represented as "1.1").
Please ignore the additional "DTD are not supported" fatal error because of not actually running a SoapServer under the given URI.
SOAP response output was shortened to avoid "spam detection" triggered by long lines when reporting this bug.

...<SOAP-ENV:Body><ns1:call><param0 xsi:type="xsd:float">1.1</param0></ns1:call></SOAP-ENV:Body>...
PHP Fatal error:  Uncaught SoapFault exception: [Client] DTD are not supported by SOAP in /tmp/test.php:14
Stack trace:
#0 /tmp/test.php(14): SoapClient->__call('call', Array)
#1 /tmp/test.php(14): SoapClient->call(1.1)
#2 {main}
  thrown in /tmp/test.php on line 14


Actual result:
--------------
PHP Fatal error:  Uncaught SoapFault exception: [Client] Possible integer overflow in memory allocation (18446744073709551615 * 1 + 33) in /tmp/test.php:13
Stack trace:
#0 /tmp/test.php(13): SoapClient->__call('call', Array)
#1 {main}
  thrown in /tmp/test.php on line 13

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-12 17:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-11-12 17:33 UTC] cmb@php.net
Confirmed.  A `-1` is passed to a `size_t`[1].

[1] <https://github.com/php/php-src/blob/php-7.3.0RC5/ext/soap/php_encoding.c#L1087>
 [2018-11-12 20:49 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-11-12 22:16 UTC] cmb@php.net
-Summary: Integer overflow on SOAP request or response with -1 precision ini setting +Summary: Signedness issue in SOAP when precision=-1
 [2018-11-12 22:27 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f6079e3c56eabe03565faceaef9de12728d278bf
Log: Fix #77141: Signedness issue in SOAP when precision=-1
 [2018-11-12 22:27 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 19 04:01:26 2018 UTC