Fix SoapFault property destruction

Two issues:
1) We should not modify the object when we pass invalid values
2) We should reset the properties to their default value otherwise we
   get a UAF.

Regressed in df219cc

Closes GH-15248.

Author: nielsdos

NEWS

@@ -45,6 +45,7 @@ PHP                                                                        NEWS
 
 - Soap:
   . Fixed bug #55639 (Digest autentication dont work). (nielsdos)
+  . Fix SoapFault property destruction. (nielsdos)
 
 - Standard:
   . Fix passing non-finite timeout values in stream functions. (nielsdos)

ext/soap/soap.c

@@ -529,6 +529,13 @@ static void soap_fault_dtor_properties(zval *obj)
 	zval_ptr_dtor(Z_FAULT_DETAIL_P(obj));
 	zval_ptr_dtor(Z_FAULT_NAME_P(obj));
 	zval_ptr_dtor(Z_FAULT_HEADERFAULT_P(obj));
+	ZVAL_EMPTY_STRING(Z_FAULT_STRING_P(obj));
+	ZVAL_NULL(Z_FAULT_CODE_P(obj));
+	ZVAL_NULL(Z_FAULT_CODENS_P(obj));
+	ZVAL_NULL(Z_FAULT_ACTOR_P(obj));
+	ZVAL_NULL(Z_FAULT_DETAIL_P(obj));
+	ZVAL_NULL(Z_FAULT_NAME_P(obj));
+	ZVAL_NULL(Z_FAULT_HEADERFAULT_P(obj));
 }
 
 /* {{{ SoapFault constructor */
@@ -550,9 +557,6 @@ PHP_METHOD(SoapFault, __construct)
 		Z_PARAM_ZVAL_OR_NULL(headerfault)
 	ZEND_PARSE_PARAMETERS_END();
 
-	/* Delete previously set properties */
-	soap_fault_dtor_properties(ZEND_THIS);
-
 	if (code_str) {
 		fault_code = ZSTR_VAL(code_str);
 		fault_code_len = ZSTR_LEN(code_str);
@@ -571,6 +575,9 @@ PHP_METHOD(SoapFault, __construct)
 		RETURN_THROWS();
 	}
 
+	/* Delete previously set properties */
+	soap_fault_dtor_properties(ZEND_THIS);
+
 	if (name != NULL && name_len == 0) {
 		name = NULL;
 	}

ext/soap/tests/SoapFault/gh14586.phpt

@@ -6,7 +6,17 @@ soap
 <?php
 $sf = new SoapFault(null, "x");
 $sf->__construct(null, "x");
+try {
+    $sf->__construct("", "");
+} catch (ValueError) {}
+$sf->__construct(null, "x", headerFault: []);
+var_dump($sf->headerfault);
+$sf->__construct(null, "x");
+var_dump($sf->headerfault);
 ?>
 DONE
 --EXPECT--
+array(0) {
+}
+NULL
 DONE