php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.3' into PHP-8.4

Browse Source 
* PHP-8.3:
  Fix GH-18640: heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref
This commit is contained in:
Niels Dossche
2025-07-20 19:49:56 +02:00
parent cb73155945 6cc4ae1f1d
commit f8196a5db5
3 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -25,6 +25,10 @@ PHP NEWS
return value check). (nielsdos, botovq)
. Fix error return check of EVP_CIPHER_CTX_ctrl(). (nielsdos)
- SOAP:
. Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32
in soap_check_zval_ref). (nielsdos)
- Sockets:
. Fix some potential crashes on incorrect argument value. (nielsdos)

14
ext/soap/php_encoding.c
View File

@@ -1949,6 +1949,11 @@ static xmlNodePtr to_xml_object(encodeTypePtr type, zval *data, int style, xmlNo
sdlAttributePtr attr;
zval *zattr, rv;
/* Attributes can't refer to other attributes as there's nothing to attach the href to. */
HashTable **ref_map = &SOAP_GLOBAL(ref_map);
HashTable *old_ref_map = *ref_map;
*ref_map = NULL;
ZEND_HASH_FOREACH_PTR(sdlType->attributes, attr) {
if (attr->name) {
zattr = get_zval_property(data, attr->name, &rv);
@@ -1978,6 +1983,8 @@ static xmlNodePtr to_xml_object(encodeTypePtr type, zval *data, int style, xmlNo
}
}
} ZEND_HASH_FOREACH_END();
*ref_map = old_ref_map;
}
}
if (style == SOAP_ENCODED) {
@@ -3060,6 +3067,12 @@ static xmlNodePtr to_xml_list(encodeTypePtr enc, zval *data, int style, xmlNodeP
ret = xmlNewNode(NULL, BAD_CAST("BOGUS"));
xmlAddChild(parent, ret);
FIND_ZVAL_NULL(data, ret, style);
/* Literals are unique and can't refer to other references via attributes. */
HashTable **ref_map = &SOAP_GLOBAL(ref_map);
HashTable *old_ref_map = *ref_map;
*ref_map = NULL;
if (Z_TYPE_P(data) == IS_ARRAY) {
zval *tmp;
smart_str list = {0};
@@ -3134,6 +3147,7 @@ static xmlNodePtr to_xml_list(encodeTypePtr enc, zval *data, int style, xmlNodeP
zval_ptr_dtor_str(&tmp);
}
}
*ref_map = old_ref_map;
return ret;
}

42
ext/soap/tests/bugs/gh18640.phpt Normal file
View File

@@ -0,0 +1,42 @@
--TEST---
GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref)
--EXTENSIONS--
soap
--CREDITS--
YuanchengJiang
--FILE--
<?php
$wsdl = __DIR__."/bug35142.wsdl";
class TestSoapClient extends SoapClient {
function __doRequest($request, $location, $action, $version, $one_way = 0): ?string {
var_dump($request);
return '';
}
}
$soapClient = new TestSoapClient($wsdl, ['trace' => 1, 'classmap' => ['logOnEvent' => 'LogOnEvent', 'events' => 'IVREvents']]);
$timestamp = new LogOnEvent(); // Bogus!
$logOffEvents[] = new LogOffEvent($timestamp);
$logOffEvents[] = new LogOffEvent($timestamp);
$ivrEvents = new IVREvents($logOffEvents);
$result = $soapClient->PostEvents($ivrEvents);
class LogOffEvent {
function __construct(public $timestamp) {
$this->timestamp = $timestamp;
}
}
class LogOnEvent {
}
class IVREvents {
function __construct(public $logOffEvent) {
}
}
?>
--EXPECT--
string(359) "<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://testurl/Events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns2="http://testurl/Message"><SOAP-ENV:Body><ns2:ivrEvents><ns2:logOffEvent/><ns2:logOffEvent/></ns2:ivrEvents></SOAP-ENV:Body></SOAP-ENV:Envelope>
"