Open
Description
Description
The following code:
<?php
$wsdl = __DIR__."/bug35142.wsdl";
class TestSoapClient extends SoapClient {
}
$soapClient = new TestSoapClient($wsdl,
array('trace' => 1, 'exceptions' => 0,
'classmap' => array('logOnEvent' => 'LogOnEvent',
'events' => 'IVREvents'),
'features' => SOAP_SINGLE_ELEMENT_ARRAYS));
$timestamp = new LogOnEvent(34567, $timestamp);
$logOffEvents[] = new LogOffEvent(34567, $timestamp, "Smoked");
$logOffEvents[] = new LogOffEvent(34568, $timestamp, "SmokeFree");
$ivrEvents = new IVREvents("1.0", 101, 12345, 'IVR', $logOnEvent, $logOffEvents);
$result = $soapClient->PostEvents($ivrEvents);
class LogOffEvent {
function __construct($audienceMemberId, $timestamp, $smokeStatus) {
$this->timestamp = $timestamp;
}
}
class LogOnEvent {
}
class IVREvents {
function __construct($version, $activityId, $messageId, $source, $timestamp=NULL, $logOffEvent=NULL) {
$this->logOffEvent = $logOffEvent;
}
}Resulted in this output:
=================================================================
==3374891==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000077f18 at pc 0x000002ac1b98 bp 0x7fff2031d110 sp 0x7fff2031d108
READ of size 8 at 0x60c000077f18 thread T0
#0 0x2ac1b97 in soap_check_zval_ref /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:299:32
#1 0x2a7270b in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1914:7
#2 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#3 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#4 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#5 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16
#6 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#7 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#8 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#9 0x2a73f65 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1958:16
#10 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#11 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#12 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#13 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16
#14 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#15 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#16 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#17 0x2ac677e in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1678:19
#18 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
#19 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
#20 0x2a736b2 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1946:5
#21 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#22 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#23 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#24 0x2c9bd88 in serialize_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4176:13
#25 0x2c99dc0 in serialize_parameter /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4147:13
#26 0x2c91bec in serialize_function_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4010:12
#27 0x2c89503 in do_soap_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2387:16
#28 0x2c61db0 in soap_client_call_common /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2562:2
#29 0x2c6081a in zim_SoapClient___call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2582:2
#30 0x4f976ce in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3618:4
#31 0x4a3d293 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58666:12
#32 0x4a3f81c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64355:2
#33 0x57b1f89 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
#34 0x3faef6a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
#35 0x3fb00a8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
#36 0x57c6e9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
#37 0x57c127f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18
#38 0x713c49a54d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#39 0x713c49a54e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#40 0x606164 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606164)
0x60c000077f18 is located 88 bytes inside of 120-byte region [0x60c000077ec0,0x60c000077f38)
freed by thread T0 here:
#0 0x680dc2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680dc2)
#1 0x2a74fea in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1977:8
#2 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#3 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#4 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#5 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16
#6 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#7 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#8 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#9 0x2ac677e in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1678:19
#10 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
#11 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
#12 0x2a736b2 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1946:5
#13 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
#14 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
#15 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
#16 0x2c9bd88 in serialize_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4176:13
#17 0x2c99dc0 in serialize_parameter /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4147:13
#18 0x2c91bec in serialize_function_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4010:12
#19 0x2c89503 in do_soap_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2387:16
#20 0x2c61db0 in soap_client_call_common /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2562:2
#21 0x2c6081a in zim_SoapClient___call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2582:2
#22 0x4f976ce in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3618:4
#23 0x4a3d293 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58666:12
#24 0x4a3f81c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64355:2
#25 0x57b1f89 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
#26 0x3faef6a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
#27 0x3fb00a8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
#28 0x57c6e9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
#29 0x57c127f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18
previously allocated by thread T0 here:
#0 0x68102d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68102d)
#1 0x713c4a4b05f4 in xmlNewNode (/lib/x86_64-linux-gnu/libxml2.so.2+0x625f4)
SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:299:32 in soap_check_zval_ref
Shadow bytes around the buggy address:
0x0c1880006f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1880006fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880006fb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1880006fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1880006fd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c1880006fe0: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1880006ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1880007000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880007010: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1880007020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1880007030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3374891==ABORTING
To reproduce:
./php-src/sapi/cli/php ./test.php
Commit:
dfff6ac852a23c6e33c06c7716d095ad4a7166d8
Configurations:
CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv
Operating System:
Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest
This report is automatically generated by FlowFusion
PHP Version
dfff6ac852a23c6e33c06c7716d095ad4a7166d8
Operating System
No response