From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 9 Mar 2020 13:59:59 +0000 (+0100)
Subject: Fixed bug #79357
X-Git-Tag: php-7.4.7RC1~148
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=760faa12b20db56bd3e2faab8d658f622af7da6a;p=php

Fixed bug #79357

Peculiarly, for once the cause was not SOAPs "interesting" error
handling, but a bug in the call trampoline for internal functions...
---

diff --git a/NEWS b/NEWS
index 7e6b0377d1..0836b20688 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,10 @@ PHP                                                                        NEWS
 
 ?? ??? ????, PHP 7.4.5
 
+- SOAP:
+  . Fixed bug #79357 (SOAP request segfaults when any request parameter is
+    missing). (Nikita)
+
 - Spl:
   . Fixed bug #75673 (SplStack::unserialize() behavior). (cmb)
 
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 26679777af..0282c3c584 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -8301,10 +8301,10 @@ ZEND_VM_HANDLER(158, ZEND_CALL_TRAMPOLINE, ANY, ANY)
 		}
 
 		if (ret == NULL) {
-			ZVAL_NULL(&retval);
 			ret = &retval;
 		}
 
+		ZVAL_NULL(ret);
 		if (!zend_execute_internal) {
 			/* saves one function call if zend_execute_internal is not used */
 			fbc->internal_function.handler(call, ret);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 4da5094a79..d79bdb1c1f 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2806,10 +2806,10 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CALL_TRAMPOLINE_SPEC_HANDLER(Z
 		}
 
 		if (ret == NULL) {
-			ZVAL_NULL(&retval);
 			ret = &retval;
 		}
 
+		ZVAL_NULL(ret);
 		if (!zend_execute_internal) {
 			/* saves one function call if zend_execute_internal is not used */
 			fbc->internal_function.handler(call, ret);
diff --git a/ext/soap/tests/bug79357.phpt b/ext/soap/tests/bug79357.phpt
new file mode 100644
index 0000000000..da3cce5dc2
--- /dev/null
+++ b/ext/soap/tests/bug79357.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #79357: SOAP request segfaults when any request parameter is missing
+--FILE--
+<?php
+
+$sc = new SoapClient(__DIR__ . '/bug79357.wsdl');
+$res = $sc->Add(['intA'=>1]);
+var_dump($res);
+
+?>
+--EXPECTF--
+Fatal error: Uncaught SoapFault exception: [Client] SOAP-ERROR: Encoding: object has no 'intB' property in %s:%d
+Stack trace:
+#0 %s(%d): SoapClient->__call('Add', Array)
+#1 {main}
+  thrown in %s on line %d
diff --git a/ext/soap/tests/bug79357.wsdl b/ext/soap/tests/bug79357.wsdl
new file mode 100644
index 0000000000..9b69a1c20e
--- /dev/null
+++ b/ext/soap/tests/bug79357.wsdl
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:tns="http://tempuri.org/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
+  <wsdl:types>
+    <s:schema elementFormDefault="qualified" targetNamespace="http://tempuri.org/">
+      <s:element name="Add">
+        <s:complexType>
+          <s:sequence>
+            <s:element minOccurs="1" maxOccurs="1" name="intA" type="s:int" />
+            <s:element minOccurs="1" maxOccurs="1" name="intB" type="s:int" />
+          </s:sequence>
+        </s:complexType>
+      </s:element>
+      <s:element name="AddResponse">
+        <s:complexType>
+          <s:sequence>
+            <s:element minOccurs="1" maxOccurs="1" name="AddResult" type="s:int" />
+          </s:sequence>
+        </s:complexType>
+      </s:element>
+    </s:schema>
+  </wsdl:types>
+  <wsdl:message name="AddSoapIn">
+    <wsdl:part name="parameters" element="tns:Add" />
+  </wsdl:message>
+  <wsdl:message name="AddSoapOut">
+    <wsdl:part name="parameters" element="tns:AddResponse" />
+  </wsdl:message>
+  <wsdl:portType name="CalculatorSoap">
+    <wsdl:operation name="Add">
+      <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Adds two integers. This is a test WebService. ©DNE Online</wsdl:documentation>
+      <wsdl:input message="tns:AddSoapIn" />
+      <wsdl:output message="tns:AddSoapOut" />
+    </wsdl:operation>
+  </wsdl:portType>
+  <wsdl:binding name="CalculatorSoap" type="tns:CalculatorSoap">
+    <soap:binding transport="http://schemas.xmlsoap.org/soap/http" />
+    <wsdl:operation name="Add">
+      <soap:operation soapAction="http://tempuri.org/Add" style="document" />
+      <wsdl:input>
+        <soap:body use="literal" />
+      </wsdl:input>
+      <wsdl:output>
+        <soap:body use="literal" />
+      </wsdl:output>
+    </wsdl:operation>
+  </wsdl:binding>
+  <wsdl:service name="Calculator">
+    <wsdl:port name="CalculatorSoap" binding="tns:CalculatorSoap">
+      <soap:address location="http://www.dneonline.com/calculator.asmx" />
+    </wsdl:port>
+  </wsdl:service>
+</wsdl:definitions>