From c7a4bc1677bfc60eb9e8ee015f4bf30596ee878d Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Sun, 20 Jul 2008 15:52:07 +0000
Subject: [PATCH] MFB: - Fixed bug #45556 (Return value from callback isn't
 freed). - Fixed bug #45555 (Segfault with invalid non-string as
 register_introspection_callback). - Fixed wrong arginfo for
 xmlrpc_encode_request()

---
 ext/xmlrpc/tests/bug45555.phpt | 20 ++++++++++
 ext/xmlrpc/tests/bug45556.phpt | 41 ++++++++++++++++++++
 ext/xmlrpc/xmlrpc-epi-php.c    | 70 ++++++++++++++++------------------
 3 files changed, 94 insertions(+), 37 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug45555.phpt
 create mode 100644 ext/xmlrpc/tests/bug45556.phpt

diff --git a/ext/xmlrpc/tests/bug45555.phpt b/ext/xmlrpc/tests/bug45555.phpt
new file mode 100644
index 0000000000..376b14fec0
--- /dev/null
+++ b/ext/xmlrpc/tests/bug45555.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #45555 (Segfault with invalid non-string as register_introspection_callback)
+--FILE--
+<?php
+
+$options = array ();
+$request = xmlrpc_encode_request ("system.describeMethods", $options);
+$server = xmlrpc_server_create ();
+
+xmlrpc_server_register_introspection_callback($server, 1);
+xmlrpc_server_register_introspection_callback($server, array('foo', 'bar'));
+
+$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
+xmlrpc_server_call_method ($server, $request, NULL, $options);
+
+?>
+--EXPECTF--
+Warning: xmlrpc_server_call_method(): Invalid callback '1' passed in %s on line %d
+
+Warning: xmlrpc_server_call_method(): Invalid callback 'foo::bar' passed in %s on line %d
diff --git a/ext/xmlrpc/tests/bug45556.phpt b/ext/xmlrpc/tests/bug45556.phpt
new file mode 100644
index 0000000000..9c73e0e5df
--- /dev/null
+++ b/ext/xmlrpc/tests/bug45556.phpt
@@ -0,0 +1,41 @@
+--TEST--
+Bug #45556 (Return value from callback isn't freed)
+--FILE--
+<?php
+
+$options = array ();
+$request = xmlrpc_encode_request ("system.describeMethods", $options);
+$server = xmlrpc_server_create ();
+
+
+function foo() { return 11111; }
+
+class bar {
+	static public function test() {
+		return 'foo';
+	}
+}
+
+xmlrpc_server_register_introspection_callback($server, 'foobar');
+xmlrpc_server_register_introspection_callback($server, array('bar', 'test'));
+xmlrpc_server_register_introspection_callback($server, array('foo', 'bar'));
+
+$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
+xmlrpc_server_call_method ($server, $request, NULL, $options);
+
+?>
+--EXPECTF--
+
+Warning: xmlrpc_server_call_method(): Invalid callback 'foobar' passed in %s on line %d
+expat reports error code 5
+	description: Invalid document end
+	line: 1
+	column: 1
+	byte index: 0
+	total bytes: 0
+
+	data beginning 0 before byte index: foo
+ 
+Warning: xmlrpc_server_call_method(): xml parse error: [line 1, column 1, message: Invalid document end] Unable to add introspection data returned from bar::test() in %s on line %d
+
+Warning: xmlrpc_server_call_method(): Invalid callback 'foo::bar' passed in %s on line %d
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 7a0e5893ff..825b263ff3 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -97,7 +97,7 @@ ZEND_END_ARG_INFO()
 static
 ZEND_BEGIN_ARG_INFO_EX(arginfo_xmlrpc_encode_request, 0, 0, 2)
 	ZEND_ARG_INFO(0, method)
-	ZEND_ARG_INFO(1, params)
+	ZEND_ARG_INFO(0, params)
 	ZEND_ARG_INFO(0, output_options)
 ZEND_END_ARG_INFO()
 
@@ -951,58 +951,54 @@ static XMLRPC_VALUE php_xmlrpc_callback(XMLRPC_SERVER server, XMLRPC_REQUEST xRe
  */
 static void php_xmlrpc_introspection_callback(XMLRPC_SERVER server, void* data) /* {{{ */
 {
-	zval *retval_ptr, **php_function;
+	zval retval, **php_function;
 	zval* callback_params[1];
+	zval php_function_name;
 	xmlrpc_callback_data* pData = (xmlrpc_callback_data*)data;
 	TSRMLS_FETCH();
 
-	MAKE_STD_ZVAL(retval_ptr);
-	Z_TYPE_P(retval_ptr) = IS_NULL;
-
 	/* setup data hoojum */
 	callback_params[0] = pData->caller_params;
 
 	/* loop through and call all registered callbacks */
 	zend_hash_internal_pointer_reset(Z_ARRVAL_P(pData->server->introspection_map));
 	while(1) {
-		if(zend_hash_get_current_data(Z_ARRVAL_P(pData->server->introspection_map), 
-					(void**)&php_function) == SUCCESS) {
-
-			/* php func prototype: function string user_func($user_params) */
-			if(call_user_function(CG(function_table), NULL, *php_function, 
-						retval_ptr, 1, callback_params TSRMLS_CC) == SUCCESS) {
-				XMLRPC_VALUE xData;
-				STRUCT_XMLRPC_ERROR err = {0};
+		if(zend_hash_get_current_data(Z_ARRVAL_P(pData->server->introspection_map), (void**)&php_function) == SUCCESS) {
+			if (zend_is_callable(*php_function, 0, &php_function_name)) {
+				/* php func prototype: function string user_func($user_params) */
+				if (call_user_function(CG(function_table), NULL, *php_function, &retval, 1, callback_params TSRMLS_CC) == SUCCESS) {
+					XMLRPC_VALUE xData;
+					STRUCT_XMLRPC_ERROR err = {0};
 
-				/* return value should be a string */
-				convert_to_string(retval_ptr);
+					/* return value should be a string */
+					convert_to_string(&retval);
 
-				xData = XMLRPC_IntrospectionCreateDescription(Z_STRVAL_P(retval_ptr), &err);
+					xData = XMLRPC_IntrospectionCreateDescription(Z_STRVAL(retval), &err);
 
-				if(xData) {
-					if(!XMLRPC_ServerAddIntrospectionData(server, xData)) {
-						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to add introspection data returned from %s(), improper element structure", Z_STRVAL_PP(php_function));
-					}
-					XMLRPC_CleanupValue(xData);
-				}
-				else {
-					/* could not create description */
-					if(err.xml_elem_error.parser_code) {
-						php_error_docref(NULL TSRMLS_CC, E_WARNING, "xml parse error: [line %ld, column %ld, message: %s] Unable to add introspection data returned from %s()", 
-								err.xml_elem_error.column, err.xml_elem_error.line, err.xml_elem_error.parser_error, Z_STRVAL_PP(php_function));
-					}
-					else {
-						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to add introspection data returned from %s()", 
-								Z_STRVAL_PP(php_function));
+					if(xData) {
+						if(!XMLRPC_ServerAddIntrospectionData(server, xData)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to add introspection data returned from %v(), improper element structure", Z_UNIVAL(php_function_name));
+						}
+						XMLRPC_CleanupValue(xData);
+					} else {
+						/* could not create description */
+						if(err.xml_elem_error.parser_code) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "xml parse error: [line %ld, column %ld, message: %s] Unable to add introspection data returned from %v()", 
+									err.xml_elem_error.column, err.xml_elem_error.line, err.xml_elem_error.parser_error, Z_UNIVAL(php_function_name));
+						} else {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to add introspection data returned from %v()", Z_UNIVAL(php_function_name));
+						}
 					}
+					zval_dtor(&retval);
+				} else {
+					/* user func failed */
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error calling user introspection callback: %v()", Z_UNIVAL(php_function_name));
 				}
+			} else {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid callback '%v' passed", Z_UNIVAL(php_function_name));
 			}
-			else {
-				/* user func failed */
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error calling user introspection callback: %s()", Z_STRVAL_PP(php_function));
-			}
-		}
-		else {
+			zval_dtor(&php_function_name);
+		} else {
 			break;
 		}
 
-- 
2.40.0