crash with bad soap request

Bug #70979

Submitted:

2015-11-26 15:59 UTC

Modified:

2016-01-12 14:33 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

b dot collin at immanens dot com

Assigned:

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.6.15

OS:

Windows

Private report:

CVE-ID:

None

[2015-11-26 15:59 UTC] b dot collin at immanens dot com

Description:
------------
PHP is use as cgi process.
IIS 7.5
php 5.6.15 nts as FastCgi



When you run a bad soap request, it crash de cgi

The script below reproduce it.

Just have to put it on a server and call it via curl.

Thank you


[PHP Modules]
bcmath
calendar
Core
ctype
curl
date
dom
ereg
filter
ftp
gd
gettext
hash
iconv
json
libxml
mbstring
mcrypt
mhash
mysql
mysqli
mysqlnd
odbc
openssl
pcre
PDO
pdo_mysql
Phar
Reflection
session
SimpleXML
soap
SPL
standard
tokenizer
wddx
xml
xmlreader
xmlwriter
zip
zlib

[Zend Modules]

Test script:
---------------
https://drive.google.com/file/d/0B3XRMAnEe84Sc1NhM3lDcUc4dWs/view?pli=1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-01-12 14:30 UTC] b dot collin at immanens dot com

It seem to appear when always_populate_raw_post_data is not configure in the php.ini or is configure with always_populate_raw_post_data = On

I compile a debug version in Visual Studio.
It crash on this :

zend_class_entry *zend_std_object_get_class(const zval *object TSRMLS_DC) /* {{{ */
{
	zend_object *zobj;
	zobj = Z_OBJ_P(object);

	return zobj->ce;
}
/* }}} */

with the message :
Unhandled exception at 0x00007FFF817BA6FD (php5_debug.dll) in php-cgi.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.

When accessing to the zobj->ce


The call stack is : 
 	php5_debug.dll!zend_std_object_get_class(const _zval_struct * object) Line 1528	C
 	php5_debug.dll!zend_get_class_entry(const _zval_struct * zobject) Line 238	C
 	php_soap.dll!soap_error_handler(int error_num, const char * error_filename, const unsigned int error_lineno, const char * format, char * args) Line 2145	C
>	php5_debug.dll!zend_error(int type, const char * format, ...) Line 1133	C
 	php5_debug.dll!php_default_post_reader() Line 82	C
 	php5_debug.dll!sapi_read_post_data() Line 249	C
 	php5_debug.dll!sapi_activate() Line 488	C
 	php5_debug.dll!php_request_startup() Line 1638	C
 	php-cgi.exe!main(int argc, char * * argv) Line 2334	C
 	php-cgi.exe!__tmainCRTStartup() Line 536	C
 	php-cgi.exe!mainCRTStartup() Line 377	C
 	kernel32.dll!00007fffaa0b13d2()	Unknown
 	ntdll.dll!00007fffac575454()	Unknown


zend_error_cb seem to be call with parameter :
 type=8192, error_filename="Unknown", error_lino=0, format="automatically populating $http_raw_post_data is deprecated and will be removed in a future version", args="\b"


I don't succeed to understand the bug to propose a patch, but I hope it must help to solve this problem


Best Regards

[2016-01-12 14:33 UTC] b dot collin at immanens dot com

I forgot, my configure line is : 

configure "--enable-snapshot-build" "--enable-debug" "--disable-zts" "--disable-isapi" "--disable-nsapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=c:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8-12c=c:\php-sdk\oracle\x64\instantclient_12_1\sdk,shared" "--with-enchant=shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet=shared" "--with-mcrypt=static" "--without-analyzer"

[2016-01-14 16:49 UTC] ab@php.net

-Status: Open +Status: Closed