dmitry Wed, 10 Aug 2011 13:44:48 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=314737
Log: Fixed bug #55323 (SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself) Bug: https://bugs.php.net/55323 (Assigned) SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/soap/php_encoding.c A php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.phpt A php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.wsdl U php/php-src/branches/PHP_5_4/ext/soap/php_encoding.c A php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.phpt A php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.wsdl U php/php-src/trunk/ext/soap/php_encoding.c A php/php-src/trunk/ext/soap/tests/bugs/bug55323.phpt A php/php-src/trunk/ext/soap/tests/bugs/bug55323.wsdl
Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-08-10 13:30:20 UTC (rev 314736) +++ php/php-src/branches/PHP_5_3/NEWS 2011-08-10 13:44:48 UTC (rev 314737) @@ -10,7 +10,12 @@ - MySQLi extension: . Fixed bug #55238 (SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections). (Andrey) - + +- SOAP + . Fixed bug #55323 (SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION + contains itself). (Dmitry) + + 28 Jul 2011, PHP 5.3.7 RC4 - Improved core functions: . Updated crypt_blowfish to 1.2. ((CVE-2011-2483) (Solar Designer) Modified: php/php-src/branches/PHP_5_3/ext/soap/php_encoding.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/soap/php_encoding.c 2011-08-10 13:30:20 UTC (rev 314736) +++ php/php-src/branches/PHP_5_3/ext/soap/php_encoding.c 2011-08-10 13:44:48 UTC (rev 314737) @@ -114,6 +114,26 @@ } \ } +#define CHECK_XML_NULL(xml) \ + { \ + xmlAttrPtr null; \ + if (!xml) { \ + zval *ret; \ + ALLOC_INIT_ZVAL(ret); \ + ZVAL_NULL(ret); \ + return ret; \ + } \ + if (xml->properties) { \ + null = get_attribute(xml->properties, "nil"); \ + if (null) { \ + zval *ret; \ + ALLOC_INIT_ZVAL(ret); \ + ZVAL_NULL(ret); \ + return ret; \ + } \ + } \ + } + #define FIND_ZVAL_NULL(zval, xml, style) \ { \ if (!zval || Z_TYPE_P(zval) == IS_NULL) { \ @@ -338,6 +358,19 @@ return 0; } +static zval* soap_find_xml_ref(xmlNodePtr node TSRMLS_DC) +{ + zval **data_ptr; + + if (SOAP_GLOBAL(ref_map) && + zend_hash_index_find(SOAP_GLOBAL(ref_map), (ulong)node, (void**)&data_ptr) == SUCCESS) { + Z_SET_ISREF_PP(data_ptr); + Z_ADDREF_PP(data_ptr); + return *data_ptr; + } + return NULL; +} + static zend_bool soap_check_xml_ref(zval **data, xmlNodePtr node TSRMLS_DC) { zval **data_ptr; @@ -1513,6 +1546,11 @@ sdlType->encode->details.sdl_type->kind != XSD_TYPEKIND_LIST && sdlType->encode->details.sdl_type->kind != XSD_TYPEKIND_UNION) { + CHECK_XML_NULL(data); + if ((ret = soap_find_xml_ref(data TSRMLS_CC)) != NULL) { + return ret; + } + if (ce != ZEND_STANDARD_CLASS_DEF_PTR && sdlType->encode->to_zval == sdl_guess_convert_zval && sdlType->encode->details.sdl_type != NULL && @@ -1526,7 +1564,6 @@ } else { ret = master_to_zval_int(sdlType->encode, data); } - FIND_XML_NULL(data, ret); if (soap_check_xml_ref(&ret, data TSRMLS_CC)) { return ret; } Added: php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.phpt 2011-08-10 13:44:48 UTC (rev 314737) @@ -0,0 +1,45 @@ +--TEST-- +Bug #55323 (SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--FILE-- +<?php +ini_set("soap.wsdl_cache_enabled",0); +$timestamp = "2011-07-30T03:25:00-05:00"; +$wsdl = dirname(__FILE__)."/bug55323.wsdl"; + +class TestSoapClient extends SoapClient { + + function __construct($wsdl, $options) { + parent::__construct($wsdl, $options); + } + + function __doRequest($request, $location, $action, $version, $one_way = 0) { + return <<<EOF +<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://test.com/soap/v3/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"> + <SOAP-ENV:Body> + <ns1:getObjectResponse> + <getObjectReturn xsi:type="ns1:Customer" id="ref1"> + <accountId xsi:type="xsd:int">1234</accountId> + <parent href="#ref1"/> + </getObjectReturn> + </ns1:getObjectResponse> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> +EOF; + } + +} + +$soapClient = new TestSoapClient($wsdl, + array('trace' => 1, 'exceptions' => 0)); +$result = $soapClient->getObject(); +var_dump($result); +?> +--EXPECTF-- +object(stdClass)#%d (2) { + ["accountId"]=> + int(1234) + ["parent"]=> + *RECURSION* +} Added: php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.wsdl =================================================================== --- php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.wsdl (rev 0) +++ php/php-src/branches/PHP_5_3/ext/soap/tests/bugs/bug55323.wsdl 2011-08-10 13:44:48 UTC (rev 314737) @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://test.com/soap/v3/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" name="slApi" targetNamespace="http://test.com/soap/v3/"> + <types> + <xsd:schema xmlns="http://www.w3.org/2001/XMLSchema" + targetNamespace="http://test.com/soap/v3/" + xmlns:tns="http://test.com/soap/v3/" + xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" + xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" + elementFormDefault="qualified"> + <complexType name="Customer"> + <complexContent> + <extension base="tns:Interface"> + <sequence> + <element minOccurs="0" maxOccurs="1" nillable="true" name="accountId" type="int"/> + <element minOccurs="0" maxOccurs="1" name="parent" type="tns:Customer"/> + </sequence> + </extension> + </complexContent> + </complexType> + <complexType name="Interface" abstract="true"/> + </xsd:schema> + </types> + <message name="getObject"/> + <message name="getObjectResponse"> + <part name="getObjectReturn" type="tns:Customer"/> + </message> + <portType name="CustomerPortType"> + <operation name="getObject"> + <input message="tns:getObject"/> + <output message="tns:getObjectResponse"/> + </operation> + </portType> + <binding name="CustomerBinding" type="tns:CustomerPortType"> + <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> + <operation name="getObject"> + <soap:operation soapAction="http://test.com/soap/v3/CustomerAction"/> + <input> + <soap:body namespace="http://test.com/soap/v3/" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </input> + <output> + <soap:body namespace="http://test.com/soap/v3/" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </output> + </operation> + </binding> + <service name="CustomerService"> + <port name="CustomerPort" binding="tns:CustomerBinding"> + <soap:address location="test://"/> + </port> + </service> +</definitions> Modified: php/php-src/branches/PHP_5_4/ext/soap/php_encoding.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/soap/php_encoding.c 2011-08-10 13:30:20 UTC (rev 314736) +++ php/php-src/branches/PHP_5_4/ext/soap/php_encoding.c 2011-08-10 13:44:48 UTC (rev 314737) @@ -114,6 +114,26 @@ } \ } +#define CHECK_XML_NULL(xml) \ + { \ + xmlAttrPtr null; \ + if (!xml) { \ + zval *ret; \ + ALLOC_INIT_ZVAL(ret); \ + ZVAL_NULL(ret); \ + return ret; \ + } \ + if (xml->properties) { \ + null = get_attribute(xml->properties, "nil"); \ + if (null) { \ + zval *ret; \ + ALLOC_INIT_ZVAL(ret); \ + ZVAL_NULL(ret); \ + return ret; \ + } \ + } \ + } + #define FIND_ZVAL_NULL(zval, xml, style) \ { \ if (!zval || Z_TYPE_P(zval) == IS_NULL) { \ @@ -338,6 +358,19 @@ return 0; } +static zval* soap_find_xml_ref(xmlNodePtr node TSRMLS_DC) +{ + zval **data_ptr; + + if (SOAP_GLOBAL(ref_map) && + zend_hash_index_find(SOAP_GLOBAL(ref_map), (ulong)node, (void**)&data_ptr) == SUCCESS) { + Z_SET_ISREF_PP(data_ptr); + Z_ADDREF_PP(data_ptr); + return *data_ptr; + } + return NULL; +} + static zend_bool soap_check_xml_ref(zval **data, xmlNodePtr node TSRMLS_DC) { zval **data_ptr; @@ -1497,6 +1530,11 @@ sdlType->encode->details.sdl_type->kind != XSD_TYPEKIND_LIST && sdlType->encode->details.sdl_type->kind != XSD_TYPEKIND_UNION) { + CHECK_XML_NULL(data); + if ((ret = soap_find_xml_ref(data TSRMLS_CC)) != NULL) { + return ret; + } + if (ce != ZEND_STANDARD_CLASS_DEF_PTR && sdlType->encode->to_zval == sdl_guess_convert_zval && sdlType->encode->details.sdl_type != NULL && @@ -1510,7 +1548,6 @@ } else { ret = master_to_zval_int(sdlType->encode, data TSRMLS_CC); } - FIND_XML_NULL(data, ret); if (soap_check_xml_ref(&ret, data TSRMLS_CC)) { return ret; } Added: php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.phpt =================================================================== --- php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.phpt 2011-08-10 13:44:48 UTC (rev 314737) @@ -0,0 +1,45 @@ +--TEST-- +Bug #55323 (SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--FILE-- +<?php +ini_set("soap.wsdl_cache_enabled",0); +$timestamp = "2011-07-30T03:25:00-05:00"; +$wsdl = dirname(__FILE__)."/bug55323.wsdl"; + +class TestSoapClient extends SoapClient { + + function __construct($wsdl, $options) { + parent::__construct($wsdl, $options); + } + + function __doRequest($request, $location, $action, $version, $one_way = 0) { + return <<<EOF +<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://test.com/soap/v3/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"> + <SOAP-ENV:Body> + <ns1:getObjectResponse> + <getObjectReturn xsi:type="ns1:Customer" id="ref1"> + <accountId xsi:type="xsd:int">1234</accountId> + <parent href="#ref1"/> + </getObjectReturn> + </ns1:getObjectResponse> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> +EOF; + } + +} + +$soapClient = new TestSoapClient($wsdl, + array('trace' => 1, 'exceptions' => 0)); +$result = $soapClient->getObject(); +var_dump($result); +?> +--EXPECTF-- +object(stdClass)#%d (2) { + ["accountId"]=> + int(1234) + ["parent"]=> + *RECURSION* +} Added: php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.wsdl =================================================================== --- php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.wsdl (rev 0) +++ php/php-src/branches/PHP_5_4/ext/soap/tests/bugs/bug55323.wsdl 2011-08-10 13:44:48 UTC (rev 314737) @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://test.com/soap/v3/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" name="slApi" targetNamespace="http://test.com/soap/v3/"> + <types> + <xsd:schema xmlns="http://www.w3.org/2001/XMLSchema" + targetNamespace="http://test.com/soap/v3/" + xmlns:tns="http://test.com/soap/v3/" + xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" + xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" + elementFormDefault="qualified"> + <complexType name="Customer"> + <complexContent> + <extension base="tns:Interface"> + <sequence> + <element minOccurs="0" maxOccurs="1" nillable="true" name="accountId" type="int"/> + <element minOccurs="0" maxOccurs="1" name="parent" type="tns:Customer"/> + </sequence> + </extension> + </complexContent> + </complexType> + <complexType name="Interface" abstract="true"/> + </xsd:schema> + </types> + <message name="getObject"/> + <message name="getObjectResponse"> + <part name="getObjectReturn" type="tns:Customer"/> + </message> + <portType name="CustomerPortType"> + <operation name="getObject"> + <input message="tns:getObject"/> + <output message="tns:getObjectResponse"/> + </operation> + </portType> + <binding name="CustomerBinding" type="tns:CustomerPortType"> + <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> + <operation name="getObject"> + <soap:operation soapAction="http://test.com/soap/v3/CustomerAction"/> + <input> + <soap:body namespace="http://test.com/soap/v3/" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </input> + <output> + <soap:body namespace="http://test.com/soap/v3/" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </output> + </operation> + </binding> + <service name="CustomerService"> + <port name="CustomerPort" binding="tns:CustomerBinding"> + <soap:address location="test://"/> + </port> + </service> +</definitions> Modified: php/php-src/trunk/ext/soap/php_encoding.c =================================================================== --- php/php-src/trunk/ext/soap/php_encoding.c 2011-08-10 13:30:20 UTC (rev 314736) +++ php/php-src/trunk/ext/soap/php_encoding.c 2011-08-10 13:44:48 UTC (rev 314737) @@ -114,6 +114,26 @@ } \ } +#define CHECK_XML_NULL(xml) \ + { \ + xmlAttrPtr null; \ + if (!xml) { \ + zval *ret; \ + ALLOC_INIT_ZVAL(ret); \ + ZVAL_NULL(ret); \ + return ret; \ + } \ + if (xml->properties) { \ + null = get_attribute(xml->properties, "nil"); \ + if (null) { \ + zval *ret; \ + ALLOC_INIT_ZVAL(ret); \ + ZVAL_NULL(ret); \ + return ret; \ + } \ + } \ + } + #define FIND_ZVAL_NULL(zval, xml, style) \ { \ if (!zval || Z_TYPE_P(zval) == IS_NULL) { \ @@ -338,6 +358,19 @@ return 0; } +static zval* soap_find_xml_ref(xmlNodePtr node TSRMLS_DC) +{ + zval **data_ptr; + + if (SOAP_GLOBAL(ref_map) && + zend_hash_index_find(SOAP_GLOBAL(ref_map), (ulong)node, (void**)&data_ptr) == SUCCESS) { + Z_SET_ISREF_PP(data_ptr); + Z_ADDREF_PP(data_ptr); + return *data_ptr; + } + return NULL; +} + static zend_bool soap_check_xml_ref(zval **data, xmlNodePtr node TSRMLS_DC) { zval **data_ptr; @@ -1497,6 +1530,11 @@ sdlType->encode->details.sdl_type->kind != XSD_TYPEKIND_LIST && sdlType->encode->details.sdl_type->kind != XSD_TYPEKIND_UNION) { + CHECK_XML_NULL(data); + if ((ret = soap_find_xml_ref(data TSRMLS_CC)) != NULL) { + return ret; + } + if (ce != ZEND_STANDARD_CLASS_DEF_PTR && sdlType->encode->to_zval == sdl_guess_convert_zval && sdlType->encode->details.sdl_type != NULL && @@ -1510,7 +1548,6 @@ } else { ret = master_to_zval_int(sdlType->encode, data TSRMLS_CC); } - FIND_XML_NULL(data, ret); if (soap_check_xml_ref(&ret, data TSRMLS_CC)) { return ret; } Added: php/php-src/trunk/ext/soap/tests/bugs/bug55323.phpt =================================================================== --- php/php-src/trunk/ext/soap/tests/bugs/bug55323.phpt (rev 0) +++ php/php-src/trunk/ext/soap/tests/bugs/bug55323.phpt 2011-08-10 13:44:48 UTC (rev 314737) @@ -0,0 +1,45 @@ +--TEST-- +Bug #55323 (SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--FILE-- +<?php +ini_set("soap.wsdl_cache_enabled",0); +$timestamp = "2011-07-30T03:25:00-05:00"; +$wsdl = dirname(__FILE__)."/bug55323.wsdl"; + +class TestSoapClient extends SoapClient { + + function __construct($wsdl, $options) { + parent::__construct($wsdl, $options); + } + + function __doRequest($request, $location, $action, $version, $one_way = 0) { + return <<<EOF +<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://test.com/soap/v3/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"> + <SOAP-ENV:Body> + <ns1:getObjectResponse> + <getObjectReturn xsi:type="ns1:Customer" id="ref1"> + <accountId xsi:type="xsd:int">1234</accountId> + <parent href="#ref1"/> + </getObjectReturn> + </ns1:getObjectResponse> + </SOAP-ENV:Body> +</SOAP-ENV:Envelope> +EOF; + } + +} + +$soapClient = new TestSoapClient($wsdl, + array('trace' => 1, 'exceptions' => 0)); +$result = $soapClient->getObject(); +var_dump($result); +?> +--EXPECTF-- +object(stdClass)#%d (2) { + ["accountId"]=> + int(1234) + ["parent"]=> + *RECURSION* +} Added: php/php-src/trunk/ext/soap/tests/bugs/bug55323.wsdl =================================================================== --- php/php-src/trunk/ext/soap/tests/bugs/bug55323.wsdl (rev 0) +++ php/php-src/trunk/ext/soap/tests/bugs/bug55323.wsdl 2011-08-10 13:44:48 UTC (rev 314737) @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://test.com/soap/v3/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" name="slApi" targetNamespace="http://test.com/soap/v3/"> + <types> + <xsd:schema xmlns="http://www.w3.org/2001/XMLSchema" + targetNamespace="http://test.com/soap/v3/" + xmlns:tns="http://test.com/soap/v3/" + xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" + xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" + elementFormDefault="qualified"> + <complexType name="Customer"> + <complexContent> + <extension base="tns:Interface"> + <sequence> + <element minOccurs="0" maxOccurs="1" nillable="true" name="accountId" type="int"/> + <element minOccurs="0" maxOccurs="1" name="parent" type="tns:Customer"/> + </sequence> + </extension> + </complexContent> + </complexType> + <complexType name="Interface" abstract="true"/> + </xsd:schema> + </types> + <message name="getObject"/> + <message name="getObjectResponse"> + <part name="getObjectReturn" type="tns:Customer"/> + </message> + <portType name="CustomerPortType"> + <operation name="getObject"> + <input message="tns:getObject"/> + <output message="tns:getObjectResponse"/> + </operation> + </portType> + <binding name="CustomerBinding" type="tns:CustomerPortType"> + <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> + <operation name="getObject"> + <soap:operation soapAction="http://test.com/soap/v3/CustomerAction"/> + <input> + <soap:body namespace="http://test.com/soap/v3/" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </input> + <output> + <soap:body namespace="http://test.com/soap/v3/" use="encoded" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </output> + </operation> + </binding> + <service name="CustomerService"> + <port name="CustomerPort" binding="tns:CustomerBinding"> + <soap:address location="test://"/> + </port> + </service> +</definitions>
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php