From 5dec48c22225cd2d31b4175bfc9ef0b8928a3e44 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 5 Aug 2024 20:55:38 +0200 Subject: [PATCH] Fix SoapFault property destruction Two issues: 1) We should not modify the object when we pass invalid values 2) We should reset the properties to their default value otherwise we get a UAF. Regressed in df219ccf9d6be8302eef3ab6e26fd00fbd2fef71 --- ext/soap/soap.c | 13 ++++++++++--- ext/soap/tests/SoapFault/gh14586.phpt | 10 ++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/ext/soap/soap.c b/ext/soap/soap.c index eaea09b461d57..3320f6dd4807f 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -529,6 +529,13 @@ static void soap_fault_dtor_properties(zval *obj) zval_ptr_dtor(Z_FAULT_DETAIL_P(obj)); zval_ptr_dtor(Z_FAULT_NAME_P(obj)); zval_ptr_dtor(Z_FAULT_HEADERFAULT_P(obj)); + ZVAL_EMPTY_STRING(Z_FAULT_STRING_P(obj)); + ZVAL_NULL(Z_FAULT_CODE_P(obj)); + ZVAL_NULL(Z_FAULT_CODENS_P(obj)); + ZVAL_NULL(Z_FAULT_ACTOR_P(obj)); + ZVAL_NULL(Z_FAULT_DETAIL_P(obj)); + ZVAL_NULL(Z_FAULT_NAME_P(obj)); + ZVAL_NULL(Z_FAULT_HEADERFAULT_P(obj)); } /* {{{ SoapFault constructor */ @@ -550,9 +557,6 @@ PHP_METHOD(SoapFault, __construct) Z_PARAM_ZVAL_OR_NULL(headerfault) ZEND_PARSE_PARAMETERS_END(); - /* Delete previously set properties */ - soap_fault_dtor_properties(ZEND_THIS); - if (code_str) { fault_code = ZSTR_VAL(code_str); fault_code_len = ZSTR_LEN(code_str); @@ -571,6 +575,9 @@ PHP_METHOD(SoapFault, __construct) RETURN_THROWS(); } + /* Delete previously set properties */ + soap_fault_dtor_properties(ZEND_THIS); + if (name != NULL && name_len == 0) { name = NULL; } diff --git a/ext/soap/tests/SoapFault/gh14586.phpt b/ext/soap/tests/SoapFault/gh14586.phpt index 91a273da09d5d..7aa7c37eb542a 100644 --- a/ext/soap/tests/SoapFault/gh14586.phpt +++ b/ext/soap/tests/SoapFault/gh14586.phpt @@ -6,7 +6,17 @@ soap __construct(null, "x"); +try { + $sf->__construct("", ""); +} catch (ValueError) {} +$sf->__construct(null, "x", headerFault: []); +var_dump($sf->headerfault); +$sf->__construct(null, "x"); +var_dump($sf->headerfault); ?> DONE --EXPECT-- +array(0) { +} +NULL DONE