heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref

[YuanchengJiang]

Description

The following code:

<?php
$wsdl = __DIR__."/bug35142.wsdl";
class TestSoapClient extends SoapClient {
}
$soapClient = new TestSoapClient($wsdl,
array('trace' => 1, 'exceptions' => 0,
'classmap' => array('logOnEvent' => 'LogOnEvent',
'events' => 'IVREvents'),
'features' => SOAP_SINGLE_ELEMENT_ARRAYS));
$timestamp = new LogOnEvent(34567, $timestamp);
$logOffEvents[] = new LogOffEvent(34567, $timestamp, "Smoked");
$logOffEvents[] = new LogOffEvent(34568, $timestamp, "SmokeFree");
$ivrEvents = new IVREvents("1.0", 101, 12345, 'IVR', $logOnEvent, $logOffEvents);
$result = $soapClient->PostEvents($ivrEvents);
class LogOffEvent {
function __construct($audienceMemberId, $timestamp, $smokeStatus) {
$this->timestamp = $timestamp;
}
}
class LogOnEvent {
}
class IVREvents {
function __construct($version, $activityId, $messageId, $source, $timestamp=NULL, $logOffEvent=NULL) {
$this->logOffEvent = $logOffEvent;
}
}

Resulted in this output:

=================================================================
==3374891==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000077f18 at pc 0x000002ac1b98 bp 0x7fff2031d110 sp 0x7fff2031d108
READ of size 8 at 0x60c000077f18 thread T0
    #0 0x2ac1b97 in soap_check_zval_ref /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:299:32
    #1 0x2a7270b in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1914:7
    #2 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #3 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #4 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #5 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16
    #6 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #7 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #8 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #9 0x2a73f65 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1958:16
    #10 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #11 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #12 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #13 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16
    #14 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #15 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #16 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #17 0x2ac677e in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1678:19
    #18 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
    #19 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
    #20 0x2a736b2 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1946:5
    #21 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #22 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #23 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #24 0x2c9bd88 in serialize_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4176:13
    #25 0x2c99dc0 in serialize_parameter /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4147:13
    #26 0x2c91bec in serialize_function_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4010:12
    #27 0x2c89503 in do_soap_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2387:16
    #28 0x2c61db0 in soap_client_call_common /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2562:2
    #29 0x2c6081a in zim_SoapClient___call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2582:2
    #30 0x4f976ce in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3618:4
    #31 0x4a3d293 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58666:12
    #32 0x4a3f81c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64355:2
    #33 0x57b1f89 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #34 0x3faef6a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #35 0x3fb00a8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #36 0x57c6e9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #37 0x57c127f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18
    #38 0x713c49a54d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #39 0x713c49a54e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #40 0x606164 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606164)

0x60c000077f18 is located 88 bytes inside of 120-byte region [0x60c000077ec0,0x60c000077f38)
freed by thread T0 here:
    #0 0x680dc2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680dc2)
    #1 0x2a74fea in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1977:8
    #2 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #3 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #4 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #5 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16
    #6 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #7 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #8 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #9 0x2ac677e in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1678:19
    #10 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
    #11 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10
    #12 0x2a736b2 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1946:5
    #13 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12
    #14 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11
    #15 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9
    #16 0x2c9bd88 in serialize_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4176:13
    #17 0x2c99dc0 in serialize_parameter /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4147:13
    #18 0x2c91bec in serialize_function_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4010:12
    #19 0x2c89503 in do_soap_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2387:16
    #20 0x2c61db0 in soap_client_call_common /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2562:2
    #21 0x2c6081a in zim_SoapClient___call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2582:2
    #22 0x4f976ce in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3618:4
    #23 0x4a3d293 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58666:12
    #24 0x4a3f81c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64355:2
    #25 0x57b1f89 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3
    #26 0x3faef6a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13
    #27 0x3fb00a8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9
    #28 0x57c6e9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5
    #29 0x57c127f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18

previously allocated by thread T0 here:
    #0 0x68102d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68102d)
    #1 0x713c4a4b05f4 in xmlNewNode (/lib/x86_64-linux-gnu/libxml2.so.2+0x625f4)

SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:299:32 in soap_check_zval_ref
Shadow bytes around the buggy address:
  0x0c1880006f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880006fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880006fb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1880006fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1880006fd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c1880006fe0: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1880006ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880007000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880007010: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1880007020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880007030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3374891==ABORTING

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

Operating System

No response