[PHP-BUG] Bug #54911 [NEW]: Access to a undefined member in inherit SoapClient may cause Segmentation Fault
From:
Operating system: Linux
PHP version: 5.3.6
Package: Reproducible crash
Bug Type: Bug
Bug description:Access to a undefined member in inherit SoapClient may cause
Segmentation Fault
Description:
If you try to access an undefined variable or constant in an extended
SoapClient, it will cause PHP crash due to a Segmentation Fault.
Test script:
---
'', 'location'=>''));
$client->__soapCall('', array());
?>
Expected result:
An error like, Fatal error: Access to undeclared static property:
XSoapClient::$crash...
Actual result:
--
$ sapi/cli/php ../crash.php
Segmentation fault
# gdb backtrace...
Starting program: /home/erik/php-5.3.6/sapi/cli/php ../crash.php
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x0843c238 in zval_delref_p (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8
"/home/erik/php-5.3.6/Zend/zend_vm_execute.h",
__zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend.h:385
385 return --pz->refcount__gc;
(gdb) bt
#0 0x0843c238 in zval_delref_p (zval_ptr=0xbfffcf68,
__zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h",
__zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend.h:385
#1 _zval_ptr_dtor (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8
"/home/erik/php-5.3.6/Zend/zend_vm_execute.h", __zend_lineno=609)
at /home/erik/php-5.3.6/Zend/zend_execute_API.c:437
#2 0x08479ff8 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
(execute_data=0x8920a60) at
/home/erik/php-5.3.6/Zend/zend_vm_execute.h:609
#3 0x08478793 in execute (op_array=0x88f2be0) at
/home/erik/php-5.3.6/Zend/zend_vm_execute.h:107
#4 0x0844bae6 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/erik/php-5.3.6/Zend/zend.c:1194
#5 0x083e102e in php_execute_script (primary_file=0xb324) at
/home/erik/php-5.3.6/main/main.c:2268
#6 0x08509d35 in main (argc=2, argv=0xb4b4) at
/home/erik/php-5.3.6/sapi/cli/php_cli.c:1193
--
Edit bug report at http://bugs.php.net/bug.php?id=54911&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=54911&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=54911&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=54911&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=54911&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=54911&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=54911&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=54911&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=54911&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=54911&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=54911&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=54911&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=54911&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=54911&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=54911&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54911&r=php4
Daylight Savings:http://bugs.php.net/fix.php?id=54911&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=54911&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=54911&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=54911&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=54911&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=54911&r=mysqlcfg
#48590 [Opn]: SOAP Client (redirect loop)
ID: 48590
User updated by: erik at datahack dot se
Reported By: erik at datahack dot se
Status: Open
Bug Type:SOAP related
PHP Version: 5.3.0RC3
New Comment:
The sample code has an extra comma after the "'stream_context' =>
$context,".
Previous Comments:
[2009-06-17 21:05:23] erik at datahack dot se
Description:
A SOAPClient can be stuck in a redirect loop (and in some cases crash).
Other PHP functions have solved this by a default redirection limit of
20 redirects (maybe a php.ini setting) or a custom value of a stream
context -> http -> max_redirects.
I provide two examples, one where PHP crashes after ~200 requests and
one where it just loops forever.
Reproduce code:
---
redirection-loop.php:
client code (crashes):
array('max_redirects' => 3))
);
$soap = new SOAPClient(NULL,
array(
'uri' => 'foo',
'location' => 'http://example.com/redirection-loop.php',
'stream_context' => $context,
)
);
$soap->test();
?>
client code (never finishes):
'foo',
'location' => 'http://example.com/redirection-loop.php'
)
);
$soap->test();
?>
Expected result:
I expect it to have a default limit of 20 but also respect the
max_requests value in the stream context. If the limit is reached I
would expect a SOAPFault with a similar error description as below.
When requesting the same file (redirection-loop.php) with
file_get_contents() you get a warning and a empty result is returned.
Warning: file_get_contents(http://example.com/redirection-loop.php):
failed to open stream: Redirection limit reached, aborting in Command
line code on line 1
Actual result:
--
This is what happens if you specify a stream_context and tries to make
it respect the max_requests (which is does not)...
(gdb) bt
#0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4,
wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto",
optionvalue=0xbf866d04) at
php-5.3.0RC3/main/streams/streams.c:2036
#1 0x082ef2e3 in php_tcp_sockop_set_option (stream=0xa2eac68,
option=7, value=0, ptrparam=0xbf866dd0)
at php-5.3.0RC3/main/streams/xp_socket.c:641
#2 0x082e27d2 in _php_stream_set_option (stream=0xa2eac68, option=7,
value=0, ptrparam=0xbf866dd0)
at php-5.3.0RC3/main/streams/streams.c:1175
#3 0x082ed90f in php_stream_xport_connect (stream=0xa2eac68,
name=0xa2eac16 "example.com:80", namelen=16, asynchronous=0,
timeout=0xbf866e84, error_text=0xbf866e8c, error_code=0x0) at
php-5.3.0RC3/main/streams/transports.c:230
#4 0x082edcca in _php_stream_xport_create (name=0xa2eac16
"example.org:80", namelen=16, options=12, flags=0, persistent_id=0x0,
timeout=0xbf866e84, context=0xa2eb5b4, error_string=0x0,
error_code=0x0)
at php-5.3.0RC3/main/streams/transports.c:143
#5 0x081d56c6 in make_http_soap_request (this_ptr=0xa2ea634,
buf=0xa35d5f0 "\nhttp://schemas.xmlsoap.org/soap/envelope/\";
xmlns:ns1=\"foo\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\";
xmlns:SOAP-ENC="..., buf_size=378,
location=0xa2eaa18 "http://example.com/redirection-loop.php";,
soapaction=0xa2eab9c "foo#test", soap_version=1,
buffer=0xa2eab1c, buffer_len=0xa2eab20) at
php-5.3.0RC3/ext/soap/php_http.c:120
#6 0x081b41d0 in zim_SoapClient___doRequest (ht=5,
return_value=0xa2eab1c, return_value_ptr=0xbf8673c8, this_ptr=0xa2ea634,
return_value_used=1) at php-5.3.0RC3/ext/soap/soap.c:3249
(gdb) f 0
#0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4,
wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto",
optionvalue=0xbf866d04) at
php-5.3.0RC3/main/streams/streams.c:2036
2036if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options),
(char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) {
--
Edit this bug report at http://bugs.php.net/?id=48590&edit=1
#48590 [NEW]: SOAP Client (redirect loop)
From: erik at datahack dot se
Operating system:
PHP version: 5.3.0RC3
PHP Bug Type: SOAP related
Bug description: SOAP Client (redirect loop)
Description:
A SOAPClient can be stuck in a redirect loop (and in some cases crash).
Other PHP functions have solved this by a default redirection limit of 20
redirects (maybe a php.ini setting) or a custom value of a stream context
-> http -> max_redirects.
I provide two examples, one where PHP crashes after ~200 requests and one
where it just loops forever.
Reproduce code:
---
redirection-loop.php:
client code (crashes):
array('max_redirects' => 3))
);
$soap = new SOAPClient(NULL,
array(
'uri' => 'foo',
'location' => 'http://example.com/redirection-loop.php',
'stream_context' => $context,
)
);
$soap->test();
?>
client code (never finishes):
'foo',
'location' => 'http://example.com/redirection-loop.php'
)
);
$soap->test();
?>
Expected result:
I expect it to have a default limit of 20 but also respect the
max_requests value in the stream context. If the limit is reached I would
expect a SOAPFault with a similar error description as below.
When requesting the same file (redirection-loop.php) with
file_get_contents() you get a warning and a empty result is returned.
Warning: file_get_contents(http://example.com/redirection-loop.php):
failed to open stream: Redirection limit reached, aborting in Command line
code on line 1
Actual result:
--
This is what happens if you specify a stream_context and tries to make it
respect the max_requests (which is does not)...
(gdb) bt
#0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4,
wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto",
optionvalue=0xbf866d04) at php-5.3.0RC3/main/streams/streams.c:2036
#1 0x082ef2e3 in php_tcp_sockop_set_option (stream=0xa2eac68, option=7,
value=0, ptrparam=0xbf866dd0)
at php-5.3.0RC3/main/streams/xp_socket.c:641
#2 0x082e27d2 in _php_stream_set_option (stream=0xa2eac68, option=7,
value=0, ptrparam=0xbf866dd0)
at php-5.3.0RC3/main/streams/streams.c:1175
#3 0x082ed90f in php_stream_xport_connect (stream=0xa2eac68,
name=0xa2eac16 "example.com:80", namelen=16, asynchronous=0,
timeout=0xbf866e84, error_text=0xbf866e8c, error_code=0x0) at
php-5.3.0RC3/main/streams/transports.c:230
#4 0x082edcca in _php_stream_xport_create (name=0xa2eac16
"example.org:80", namelen=16, options=12, flags=0, persistent_id=0x0,
timeout=0xbf866e84, context=0xa2eb5b4, error_string=0x0,
error_code=0x0)
at php-5.3.0RC3/main/streams/transports.c:143
#5 0x081d56c6 in make_http_soap_request (this_ptr=0xa2ea634,
buf=0xa35d5f0 "\nhttp://schemas.xmlsoap.org/soap/envelope/\";
xmlns:ns1=\"foo\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\";
xmlns:SOAP-ENC="..., buf_size=378,
location=0xa2eaa18 "http://example.com/redirection-loop.php";,
soapaction=0xa2eab9c "foo#test", soap_version=1,
buffer=0xa2eab1c, buffer_len=0xa2eab20) at
php-5.3.0RC3/ext/soap/php_http.c:120
#6 0x081b41d0 in zim_SoapClient___doRequest (ht=5,
return_value=0xa2eab1c, return_value_ptr=0xbf8673c8, this_ptr=0xa2ea634,
return_value_used=1) at php-5.3.0RC3/ext/soap/soap.c:3249
(gdb) f 0
#0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4,
wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto",
optionvalue=0xbf866d04) at php-5.3.0RC3/main/streams/streams.c:2036
2036if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options),
(char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) {
--
Edit bug report at http://bugs.php.net/?id=48590&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48590&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48590&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48590&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48590&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=48590&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48590&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=48590&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=48590&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=48590&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=48590&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=48590&r=notwrong
Not enough info:
http://bugs.php.net/fix.ph
