Skip to content

Commit e440e37

Browse files
cmb69cmb69
committed
Fix GH-9720: Null pointer dereference while serializing the response
When traversing the result array, we need to cater to `param_name` possibly being `NULL`. Prior to PHP 7.0.0, this was implicitly done because `param_name` was of type `char*`. Closes GH-9739.
1 parent 24963be commit e440e37

File tree

4 files changed

+74
-3
lines changed

4 files changed

+74
-3
lines changed

NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ PHP NEWS
22
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
33
?? ??? 2022, PHP 8.0.26
44

5+
- SOAP:
6+
. Fixed GH-9720 (Null pointer dereference while serializing the response).
7+
(cmb)
58

69
27 Oct 2022, PHP 8.0.25
710

ext/soap/soap.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3481,11 +3481,11 @@ static int serialize_response_call2(xmlNodePtr body, sdlFunctionPtr function, ch
34813481
zend_ulong param_index = i;
34823482

34833483
ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(ret), param_index, param_name, data) {
3484-
parameter = get_param(function, ZSTR_VAL(param_name), param_index, TRUE);
3484+
parameter = get_param(function, param_name ? ZSTR_VAL(param_name) : NULL, param_index, TRUE);
34853485
if (style == SOAP_RPC) {
3486-
param = serialize_parameter(parameter, data, i, ZSTR_VAL(param_name), use, method);
3486+
param = serialize_parameter(parameter, data, i, param_name ? ZSTR_VAL(param_name) : NULL, use, method);
34873487
} else {
3488-
param = serialize_parameter(parameter, data, i, ZSTR_VAL(param_name), use, body);
3488+
param = serialize_parameter(parameter, data, i, param_name ? ZSTR_VAL(param_name) : NULL, use, body);
34893489
if (function && function->binding->bindingType == BINDING_SOAP) {
34903490
if (parameter && parameter->element) {
34913491
ns = encode_add_ns(param, parameter->element->namens);

ext/soap/tests/gh9720.phpt

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
--TEST--
2+
Bug GH-9720 (Null pointer dereference while serializing the response)
3+
--SKIPIF--
4+
<?php require_once("skipif.inc"); ?>
5+
--FILE--
6+
<?php
7+
error_reporting(E_ALL);
8+
ini_set('display_errors', 1);
9+
ini_set("soap.wsdl_cache_enabled", 0);
10+
11+
class SoapService {
12+
function openSession($user) {
13+
return ["OK", "200"];
14+
}
15+
}
16+
17+
$server = new SoapServer(__DIR__ . '/gh9720.wsdl');
18+
$server->setClass(SoapService::class);
19+
$request = <<<XML
20+
<?xml version="1.0" encoding="UTF-8"?>
21+
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:soapService" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
22+
<SOAP-ENV:Body>
23+
<ns1:openSession>
24+
<user xsi:type="xsd:string">istoph</user>
25+
</ns1:openSession>
26+
</SOAP-ENV:Body>
27+
</SOAP-ENV:Envelope>
28+
XML;
29+
30+
$server->handle($request);
31+
?>
32+
--EXPECT--
33+
<?xml version="1.0" encoding="UTF-8"?>
34+
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:soapService" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:openSessionResponse><status xsi:type="xsd:string">OK</status><error_code xsi:type="xsd:string">200</error_code></ns1:openSessionResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>

ext/soap/tests/gh9720.wsdl

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<definitions name="soapService" targetNamespace="urn:soapService" xmlns:typens="urn:soapService" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/">
3+
<message name="openSession">
4+
<part name="user" type="xsd:string" />
5+
</message>
6+
<message name="openSessionResponse">
7+
<part name="status" type="xsd:string" />
8+
<part name="error_code" type="xsd:string" />
9+
</message>
10+
<portType name="soapServicePortType">
11+
<operation name="openSession">
12+
<documentation>Service Call: openSession</documentation>
13+
<input message="typens:openSession" />
14+
<output message="typens:openSessionResponse" />
15+
</operation>
16+
</portType>
17+
<binding name="soapServiceBinding" type="typens:soapServicePortType">
18+
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http" />
19+
<operation name="openSession">
20+
<soap:operation soapAction="urn:openSession" />
21+
<input>
22+
<soap:body namespace="urn:soapService" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" />
23+
</input>
24+
<output>
25+
<soap:body namespace="urn:soapService" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" />
26+
</output>
27+
</operation>
28+
</binding>
29+
<service name="soapServiceService">
30+
<port name="soapServicePort" binding="typens:soapServiceBinding">
31+
<soap:address location="###PHP_SELF###" />
32+
</port>
33+
</service>
34+
</definitions>

0 commit comments

Comments
 (0)