php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79357 SOAP request segfaults when any request parameter is missing
Submitted: 2020-03-09 10:13 UTC Modified: 2020-03-09 13:51 UTC
From: roman dot vanicek at gmail dot com Assigned: nikic (profile)
Status: Closed Package: SOAP related
PHP Version: 7.4.3 OS: Linux 4.15
Private report: No CVE-ID: None
 [2020-03-09 10:13 UTC] roman dot vanicek at gmail dot com
Description:
------------
Any SOAP request crashes (with segfault) when any request parameter is missing.

Normally it should throw an exception  (SOAP-ERROR: Encoding: object has no 'intB' property).

The error is tested on PHP 7.4.0-7.4.3.
It works fine in PHP 7.3.x.
The error happens in shared build of soap module, the static build is fine.

Configure line: --enable-soap=shared --without-sqlite3 --without-pdo-sqlite

GDB output: 
Program received signal SIGSEGV, Segmentation fault.
0x0000555555ad9e77 in zend_gc_delref (p=0x61445b0a0a6e4f20)
    at /var/roman/src/php/php-7.4.3/Zend/zend_types.h:1039
1039            ZEND_ASSERT(p->refcount > 0);
(gdb) bt
#0  0x0000555555ad9e77 in zend_gc_delref (p=0x61445b0a0a6e4f20)
    at /var/roman/src/php/php-7.4.3/Zend/zend_types.h:1039
#1  0x0000555555ad9fec in zval_delref_p (pz=0x7ffff3e140e0)
    at /var/roman/src/php/php-7.4.3/Zend/zend_types.h:1075
#2  0x0000555555ada765 in zval_ptr_dtor_nogc (zval_ptr=0x7ffff3e140e0)
    at /var/roman/src/php/php-7.4.3/Zend/zend_variables.h:34
#3  0x0000555555aeece9 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER ()
    at /var/roman/src/php/php-7.4.3/Zend/zend_vm_execute.h:2615
#4  0x0000555555b50afc in execute_ex (ex=0x7ffff3e14020)
    at /var/roman/src/php/php-7.4.3/Zend/zend_vm_execute.h:53889
#5  0x0000555555b54ad0 in zend_execute (op_array=0x7ffff3e84300, return_value=0x0)
    at /var/roman/src/php/php-7.4.3/Zend/zend_vm_execute.h:57913
#6  0x0000555555a779f5 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /var/roman/src/php/php-7.4.3/Zend/zend.c:1665
#7  0x00005555559d6713 in php_execute_script (primary_file=0x7fffffffca60)
    at /var/roman/src/php/php-7.4.3/main/main.c:2617
#8  0x0000555555b5760f in do_cli (argc=2, argv=0x55555678a500)
    at /var/roman/src/php/php-7.4.3/sapi/cli/php_cli.c:961
#9  0x0000555555b587d1 in main (argc=2, argv=0x55555678a500)
    at /var/roman/src/php/php-7.4.3/sapi/cli/php_cli.c:1356


Test script:
---------------
<?php

ini_set('soap.wsdl_cache_enabled',0);
ini_set('soap.wsdl_cache_ttl',0);

$sc = new SoapClient('http://www.dneonline.com/calculator.asmx?WSDL');
// parameter intB is missing
$res = $sc->Add(['intA'=>1]);
// PHP 7.3 throws exception: SOAP-ERROR: Encoding: object has no 'intB' property
// PHP 7.4 (shared soap) segfaults
var_dump($res);


Expected result:
----------------
Exception: SOAP-ERROR: Encoding: object has no 'intB' property

Actual result:
--------------
Segfault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-09 10:30 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-03-09 10:30 UTC] nikic@php.net
Valgrind:

==21080== Conditional jump or move depends on uninitialised value(s)
==21080==    at 0x9A194F: zval_ptr_dtor_nogc (zend_variables.h:34)
==21080==    by 0x9B5F34: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:2615)
==21080==    by 0xA17DB9: execute_ex (zend_vm_execute.h:53889)
==21080==    by 0xA1BD88: zend_execute (zend_vm_execute.h:57913)
==21080==    by 0x93EFD7: zend_execute_scripts (zend.c:1665)
==21080==    by 0x8A0781: php_execute_script (main.c:2617)
==21080==    by 0xA1E99C: do_cli (php_cli.c:961)
==21080==    by 0xA1FB6C: main (php_cli.c:1356)
 [2020-03-09 13:51 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-03-09 14:02 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=760faa12b20db56bd3e2faab8d658f622af7da6a
Log: Fixed bug #79357
 [2020-03-09 14:02 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 06:01:23 2020 UTC