GHSA-85c2-q967-79q5: [soap] Fix stale SOAP_GLOBAL(ref_map) pointer with Apache Map

iluuu1994 · saundefined · commit 84e3004d25c2 · 2026-05-05T16:50:31.000+03:00
Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
@@ -365,6 +365,7 @@ static bool soap_check_xml_ref(zval *data, xmlNodePtr node)
 static void soap_add_xml_ref(zval *data, xmlNodePtr node)
 {
 	if (SOAP_GLOBAL(ref_map)) {
+		Z_TRY_ADDREF_P(data);
 		zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
 	}
 }
@@ -3448,7 +3449,7 @@ void encode_reset_ns()
 	} else {
 		SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
 	}
-	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
 }
 
 void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+    public function test(...$args) {
+        $GLOBALS['result'] = $args;
+    }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+    <soapenv:Body>
+        <test>
+            <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+                <item>
+                    <key>foo</key>
+                    <value id="stale"><object>bar</object></value>
+                </item>
+                <item>
+                    <key>foo</key>
+                    <value>baz</value>
+                </item>
+            </map>
+            <stale href="#stale"/>
+        </test>
+    </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+  [0]=>
+  array(1) {
+    ["foo"]=>
+    string(3) "baz"
+  }
+  [1]=>
+  object(stdClass)#%d (1) {
+    ["object"]=>
+    string(3) "bar"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -365,6 +365,7 @@ static bool soap_check_xml_ref(zval *data, xmlNodePtr node)`
`365`	`365`	`static void soap_add_xml_ref(zval *data, xmlNodePtr node)`
`366`	`366`	`{`
`367`	`367`	`if (SOAP_GLOBAL(ref_map)) {`
	`368`	`+ Z_TRY_ADDREF_P(data);`
`368`	`369`	`zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);`
`369`	`370`	`}`
`370`	`371`	`}`
`@@ -3448,7 +3449,7 @@ void encode_reset_ns()`
`3448`	`3449`	`} else {`
`3449`	`3450`	`SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));`
`3450`	`3451`	`}`
`3451`		`- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);`
	`3452`	`+ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);`
`3452`	`3453`	`}`
`3453`	`3454`
`3454`	`3455`	`void encode_finish()`