php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77945 Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH
Submitted: 2019-04-27 11:08 UTC Modified: 2019-04-29 11:40 UTC
From: jan dot eberhardt at posteo dot de Assigned: nikic (profile)
Status: Closed Package: SOAP related
PHP Version: 7.2.17 OS: Ubuntu 18.04.2 LTS
Private report: No CVE-ID: None
 [2019-04-27 11:08 UTC] jan dot eberhardt at posteo dot de
Description:
------------
PHP crashes reproducibly with a segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH.
The crash occurs only if the wsdl-file was already cached in a previous run.
It does not happen if one uses WSDL_CACHE_MEMORY or WSDL_CACHE_DISK.

I used the wsdl-file from bug76348, but it crashes with other wsdl-files too.

# php soaptest.php
===DONE===
# php soaptest.php
Segmentation fault (core dumped)

Test script:
---------------
<?php
$client = new SoapClient(__DIR__ . DIRECTORY_SEPARATOR . 'bug76348.wsdl', [
    'cache_wsdl' => WSDL_CACHE_BOTH
]);
?>
===DONE===

Expected result:
----------------
===DONE===

Actual result:
--------------
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php soaptest.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fb82c26baef in make_persistent_sdl_type (type=0x7fb837291690, ptr_map=ptr_map@entry=0x7ffc7adde4a0, 
    bp_types=bp_types@entry=0x7ffc7adde4e0, bp_encoders=bp_encoders@entry=0x7ffc7adde520) at ./ext/soap/php_sdl.c:2768

(gdb) bt
#0  0x00007fb82c26baef in make_persistent_sdl_type (type=0x7fb837291690, ptr_map=ptr_map@entry=0x7ffc7adde4a0, 
    bp_types=bp_types@entry=0x7ffc7adde4e0, bp_encoders=bp_encoders@entry=0x7ffc7adde520) at ./ext/soap/php_sdl.c:2768
#1  0x00007fb82c2700b6 in make_persistent_sdl (sdl=<optimized out>) at ./ext/soap/php_sdl.c:2969
#2  get_sdl (this_ptr=this_ptr@entry=0x7fb83721c0e0, uri=<optimized out>, cache_wsdl=cache_wsdl@entry=3) at ./ext/soap/php_sdl.c:3361
#3  0x00007fb82c2454f4 in zim_SoapClient_SoapClient (execute_data=0x7fb83721c0c0, return_value=<optimized out>) at ./ext/soap/soap.c:2487
#4  0x00005596fbc12308 in execute_ex ()
#5  0x00005596fbc13417 in zend_execute ()
#6  0x00005596fbb61d92 in zend_execute_scripts ()
#7  0x00005596fbafd8c0 in php_execute_script ()
#8  0x00005596fbc1582c in ?? ()
#9  0x00005596fb9ab64b in ?? ()
#10 0x00007fb839ef1b97 in __libc_start_main (main=0x5596fb9ab230, argc=2, argv=0x7ffc7ade32f8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffc7ade32e8) at ../csu/libc-start.c:310
#11 0x00005596fb9ab7ea in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-29 10:50 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-04-29 11:40 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2019-04-29 11:40 UTC] nikic@php.net
The actual segfault happens because sdl persistence is not prepared to deal with a restriction enumeration without string keys. However, I think that the real problem here is that empty string keys are discarded during serialization. The problematic part is this excerpt from xml.xsd:


  <xs:simpleType>
   <xs:union memberTypes="xs:language">
    <xs:simpleType>    
     <xs:restriction base="xs:string">
      <xs:enumeration value=""/>
     </xs:restriction>
    </xs:simpleType>
   </xs:union>
  </xs:simpleType>

Which uses an empty string enumeration value, which gets discarded during serialization.
 [2019-04-29 11:54 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5da0579259aab958093ca473cb2cc9dff9fd7813
Log: Fixed bug #77945
 [2019-04-29 11:54 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jun 18 04:01:27 2019 UTC