-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null pointer dereference while serializing the response #9720
Comments
We have been able to fix this on our site with the following patch. We do not know if this patch is also suitable for upstream. --- php-src/ext/soap/soap.c 2022-10-10 11:35:34.000000000 +0200
+++ soap.c 2022-10-10 18:22:04.000000000 +0200
@@ -3791,15 +3791,15 @@
} else if (param_count > 1 && Z_TYPE_P(ret) == IS_ARRAY) {
zval *data;
int i = 0;
- zend_string *param_name;
+ char *param_name;
zend_ulong param_index = i;
ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(ret), param_index, param_name, data) {
- parameter = get_param(function, ZSTR_VAL(param_name), param_index, TRUE);
+ parameter = get_param(function, param_name, param_index, TRUE);
if (style == SOAP_RPC) {
- param = serialize_parameter(parameter, data, i, ZSTR_VAL(param_name), use, method);
+ param = serialize_parameter(parameter, data, i, param_name, use, method);
} else {
- param = serialize_parameter(parameter, data, i, ZSTR_VAL(param_name), use, body);
+ param = serialize_parameter(parameter, data, i, param_name, use, body);
if (function && function->binding->bindingType == BINDING_SOAP) {
if (parameter && parameter->element) {
ns = encode_add_ns(param, parameter->element->namens);
|
Thanks for reporting! I can confirm the issue, but your patch wouldn't even compile for me, since ext/soap/soap.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index d5731a5c9b..fbf6546beb 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -3360,11 +3360,11 @@ static int serialize_response_call2(xmlNodePtr body, sdlFunctionPtr function, ch
zend_ulong param_index = i;
ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(ret), param_index, param_name, data) {
- parameter = get_param(function, ZSTR_VAL(param_name), param_index, TRUE);
+ parameter = get_param(function, param_name ? ZSTR_VAL(param_name) : NULL, param_index, TRUE);
if (style == SOAP_RPC) {
- param = serialize_parameter(parameter, data, i, ZSTR_VAL(param_name), use, method);
+ param = serialize_parameter(parameter, data, i, param_name ? ZSTR_VAL(param_name) : NULL, use, method);
} else {
- param = serialize_parameter(parameter, data, i, ZSTR_VAL(param_name), use, body);
+ param = serialize_parameter(parameter, data, i, param_name ? ZSTR_VAL(param_name) : NULL, use, body);
if (function && function->binding->bindingType == BINDING_SOAP) {
if (parameter && parameter->element) {
ns = encode_add_ns(param, parameter->element->namens); |
@cmb69 Thank you for looking at the bug! I have applied the change you customized to our test environment and all unit and integration tests are running. So this patch would be a great help for us. |
When traversing the result array, we need to cater to `param_name` possibly being `NULL`. Prior to PHP 7.0.0, this was implicitly done because `param_name` was of type `char*`.
* PHP-8.0: Fix GH-9720: Null pointer dereference while serializing the response
* PHP-8.1: Fix GH-9720: Null pointer dereference while serializing the response
* PHP-8.2: Fix GH-9720: Null pointer dereference while serializing the response
Description
The following code:
with this
service.wsdl
file:Resulted in this a segfault with gdb output:
In frame 2 the var
param_name
is from typezend_string
but in frame 1 achar*
is expected. The type conflict leads to0x18
not being recognized asnull
in the if statement before.But I expected this output instead:
After we call it with:
In version PHP 5.6.32 this example still works. Between PHP 7.0 and 8.2 we could see the failure.
PHP Version
PHP 8.2.0
Operating System
Rhel 8
The text was updated successfully, but these errors were encountered: