Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in Zend/zend_smart_str.h:177 #16320

Open
YuanchengJiang opened this issue Oct 9, 2024 · 2 comments
Open

Segmentation fault in Zend/zend_smart_str.h:177 #16320

YuanchengJiang opened this issue Oct 9, 2024 · 2 comments
Labels
Bug Extension: soap Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$x = new SoapClient(__DIR__."/bug27742.wsdl");
$fusion = $x;
$types = $fusion->__getTypes();

Resulted in this output:

/php-src/Zend/zend_smart_str.h:177:41: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:408:33: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/Zend/zend_smart_str.h:177:41

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04
@nielsdos
Copy link
Member

nielsdos commented Oct 9, 2024

The more I look at this the bigger my headache becomes.
There's many things wrong in schema_attribute:

  1. attr_is_equal_ex makes no sense, it seems like it tries to check what for an attribute name and its namespace. However, there is confusion between attribute namespace and element namespace. An attribute without a prefix is always in no namespace. Yet if this happens the function looks at the parent namespace :/ Reading https://www.w3.org/TR/xmlschema-1/#cAttribute_Declarations makes me no wiser because (as is typical with w3 specs) this document is very open to interpretation.
  2. Because of the previous issue, you can execute newAttr->name = estrdup((char*)attr->children->content); multiple times, leading to a memory leak.
  3. schema_attribute uses get_attribute for the name and ref attributes, which don't take into account the namespace (first match wins!). However, then for actual storing that data it does take into account the namespace (well kinda, see first point).
  4. Why do we execute schema_attribute even in the first place? The complexType element is in the wrong namespace, or am I misreading the WSDL? Yet, apparently this WSDL file came out of a generator...

I already learned that you have to be ... tolerant when it comes to SOAP stuff due to different interpretations between different implementers.
So it seems to me that we should drop attr_is_equal_ex and edit schema_attribute to ignore the namespace, or take into account a preferred namespace for the attribute.

But wow what a mess.

@nielsdos
Copy link
Member

nielsdos commented Oct 9, 2024
edited
Loading

This already passes the tests but does not take into account namespace preference: https://gist.github.com/nielsdos/b0dc0a086f4ae034f21f007aa02a1810
Note that an absent name attribute would still cause a crash though

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: soap Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cmb69 @nielsdos @YuanchengJiang