fix bailout logic

LamentXU123 · LamentXU123 · commit 1db967276f09 · 2026-05-09T14:23:02.000+08:00
diff --git a/ext/soap/php_packet_soap.c b/ext/soap/php_packet_soap.c
@@ -18,6 +18,23 @@
 
 #include "php_soap.h"
 
+static void master_to_zval_with_doc_cleanup(zval *ret, encodePtr encode, xmlNodePtr data, xmlDocPtr doc)
+{
+	bool bailout = false;
+
+	/* SoapClient can turn decode errors into a bailout before parse_packet_soap() frees the response doc. */
+	zend_try {
+		master_to_zval(ret, encode, data);
+	} zend_catch {
+		bailout = true;
+	} zend_end_try();
+
+	if (bailout) {
+		xmlFreeDoc(doc);
+		zend_bailout();
+	}
+}
+
 /* SOAP client calls this function to parse response from SOAP server */
 bool parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunctionPtr fn, char *fn_name, zval *return_value, zval *soap_headers)
 {
@@ -191,22 +208,22 @@ bool parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunctio
 			tmp = get_node(fault->children, "faultstring");
 			if (tmp != NULL && tmp->children != NULL) {
 				zval zv;
-				master_to_zval(&zv, get_conversion(IS_STRING), tmp);
+				master_to_zval_with_doc_cleanup(&zv, get_conversion(IS_STRING), tmp, response);
 				convert_to_string(&zv)
 				faultstring = Z_STR(zv);
 			}
 
 			tmp = get_node(fault->children, "faultactor");
 			if (tmp != NULL && tmp->children != NULL) {
 				zval zv;
-				master_to_zval(&zv, get_conversion(IS_STRING), tmp);
+				master_to_zval_with_doc_cleanup(&zv, get_conversion(IS_STRING), tmp, response);
 				convert_to_string(&zv)
 				faultactor = Z_STR(zv);
 			}
 
 			tmp = get_node(fault->children, "detail");
 			if (tmp != NULL) {
-				master_to_zval(&details, NULL, tmp);
+				master_to_zval_with_doc_cleanup(&details, NULL, tmp, response);
 			}
 		} else {
 			tmp = get_node(fault->children, "Code");
@@ -223,15 +240,15 @@ bool parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunctio
 				tmp = get_node(tmp->children,"Text");
 				if (tmp != NULL && tmp->children != NULL) {
 					zval zv;
-					master_to_zval(&zv, get_conversion(IS_STRING), tmp);
+					master_to_zval_with_doc_cleanup(&zv, get_conversion(IS_STRING), tmp, response);
 					convert_to_string(&zv)
 					faultstring = Z_STR(zv);
 				}
 			}
 
 			tmp = get_node(fault->children,"Detail");
 			if (tmp != NULL) {
-				master_to_zval(&details, NULL, tmp);
+				master_to_zval_with_doc_cleanup(&details, NULL, tmp, response);
 			}
 		}
 		add_soap_fault(this_ptr, faultcode, faultstring ? ZSTR_VAL(faultstring) : NULL, faultactor ? ZSTR_VAL(faultactor) : NULL, &details);
@@ -324,9 +341,9 @@ bool parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunctio
 					} else {
 						/* Decoding value of parameter */
 						if (param != NULL) {
-							master_to_zval(&tmp, param->encode, val);
+							master_to_zval_with_doc_cleanup(&tmp, param->encode, val, response);
 						} else {
-							master_to_zval(&tmp, NULL, val);
+							master_to_zval_with_doc_cleanup(&tmp, NULL, val, response);
 						}
 					}
 					add_assoc_zval(return_value, param->paramName, &tmp);
@@ -347,7 +364,7 @@ bool parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunctio
 						zval tmp;
 						zval *arr;
 
-						master_to_zval(&tmp, NULL, val);
+						master_to_zval_with_doc_cleanup(&tmp, NULL, val, response);
 						if (val->name) {
 							if ((arr = zend_hash_str_find(Z_ARRVAL_P(return_value), (char*)val->name, strlen((char*)val->name))) != NULL) {
 								add_next_index_zval(arr, &tmp);
@@ -412,7 +429,7 @@ bool parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunctio
 					}
 					smart_str_free(&key);
 				}
-				master_to_zval(&val, enc, trav);
+				master_to_zval_with_doc_cleanup(&val, enc, trav, response);
 				add_assoc_zval(soap_headers, (char*)trav->name, &val);
 			}
 			trav = trav->next;
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
@@ -2408,9 +2408,19 @@ static void do_soap_call(zend_execute_data *execute_data,
 				request = NULL;
 
 				if (ret && Z_TYPE(response) == IS_STRING) {
+					bool parse_bailout = false;
+
 					encode_reset_ns();
-					ret = parse_packet_soap(this_ptr, Z_STRVAL(response), Z_STRLEN(response), fn, NULL, return_value, output_headers);
+					zend_try {
+						ret = parse_packet_soap(this_ptr, Z_STRVAL(response), Z_STRLEN(response), fn, NULL, return_value, output_headers);
+					} zend_catch {
+						parse_bailout = true;
+					} zend_end_try();
 					encode_finish();
+					if (parse_bailout) {
+						zval_ptr_dtor(&response);
+						zend_bailout();
+					}
 				}
 
 				zval_ptr_dtor(&response);
@@ -2452,9 +2462,19 @@ static void do_soap_call(zend_execute_data *execute_data,
 				request = NULL;
 
 				if (ret && Z_TYPE(response) == IS_STRING) {
+					bool parse_bailout = false;
+
 					encode_reset_ns();
-					ret = parse_packet_soap(this_ptr, Z_STRVAL(response), Z_STRLEN(response), NULL, NULL, return_value, output_headers);
+					zend_try {
+						ret = parse_packet_soap(this_ptr, Z_STRVAL(response), Z_STRLEN(response), NULL, NULL, return_value, output_headers);
+					} zend_catch {
+						parse_bailout = true;
+					} zend_end_try();
 					encode_finish();
+					if (parse_bailout) {
+						zval_ptr_dtor(&response);
+						zend_bailout();
+					}
 				}
 
 				zval_ptr_dtor(&response);
diff --git a/ext/soap/tests/soap_array_index_overflow.phpt b/ext/soap/tests/soap_array_index_overflow.phpt
@@ -4,28 +4,14 @@ SOAP array index overflow is rejected
 soap
 --FILE--
 <?php
-$serverCode = <<<'PHP'
-function test($arg) {}
-$server = new SoapServer(null, ['uri' => 'http://example.org/']);
-$server->addFunction('test');
-$server->handle(file_get_contents('php://stdin'));
-PHP;
 
-$phpArgs = [
-    '-d',
-    'display_startup_errors=0',
-    '-d',
-    'extension_dir=' . ini_get('extension_dir'),
-    '-d',
-    'extension=' . (substr(PHP_OS, 0, 3) === 'WIN' ? 'php_' : '') . 'soap.' . PHP_SHLIB_SUFFIX,
-    '-r',
-    $serverCode,
-];
-if (php_ini_loaded_file()) {
-    array_splice($phpArgs, 0, 0, ['-c', php_ini_loaded_file()]);
+    public function __doRequest($request, $location, $action, $version, $one_way = false, ?string $uriParserClass = null): string {
+        return $this->response;
+    }
 }
 
-$arrayTypeRequest = <<<XML
+function soap_response(string $attributes, string $itemAttributes = ''): string {
+    return <<<XML
 <?xml version="1.0" encoding="UTF-8"?>
 <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
@@ -34,91 +20,48 @@ $arrayTypeRequest = <<<XML
                    xmlns:ns1="http://example.org/"
                    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
   <SOAP-ENV:Body>
-    <ns1:test>
-      <arg SOAP-ENC:arrayType="xsd:string[2147483648]" xsi:type="SOAP-ENC:Array">
-        <item xsi:type="xsd:string">value</item>
-      </arg>
-    </ns1:test>
+    <ns1:testResponse>
+      <return $attributes>
+        <item xsi:type="xsd:string" $itemAttributes>value</item>
+      </return>
+    </ns1:testResponse>
   </SOAP-ENV:Body>
 </SOAP-ENV:Envelope>
 XML;
+}
 
-echo "arrayType:\n";
-$process = proc_open([PHP_BINARY, ...$phpArgs], [
-    0 => ['pipe', 'r'],
-    1 => ['pipe', 'w'],
-], $pipes);
-fwrite($pipes[0], $arrayTypeRequest);
-fclose($pipes[0]);
-echo stream_get_contents($pipes[1]);
-fclose($pipes[1]);
-proc_close($process);
+function test_overflow(string $name, string $response): void {
+    $client = new TestSoapClient(NULL, [
+        'location' => 'test://',
+        'uri' => 'http://example.org/',
+        'exceptions' => true,
+    ]);
+    $client->response = $response;
 
-$offsetRequest = <<<XML
-<?xml version="1.0" encoding="UTF-8"?>
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
-                   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
-                   xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                   xmlns:ns1="http://example.org/"
-                   SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
-  <SOAP-ENV:Body>
-    <ns1:test>
-      <arg SOAP-ENC:arrayType="xsd:string[1]" SOAP-ENC:offset="[2147483648]" xsi:type="SOAP-ENC:Array">
-        <item xsi:type="xsd:string">value</item>
-      </arg>
-    </ns1:test>
-  </SOAP-ENV:Body>
-</SOAP-ENV:Envelope>
-XML;
+    try {
+        $client->test();
+        echo "$name: no fault\n";
+    } catch (SoapFault $e) {
+        echo "$name: $e->faultstring\n";
+    }
+}
 
-echo "offset:\n";
-$process = proc_open([PHP_BINARY, ...$phpArgs], [
-    0 => ['pipe', 'r'],
-    1 => ['pipe', 'w'],
-], $pipes);
-fwrite($pipes[0], $offsetRequest);
-fclose($pipes[0]);
-echo stream_get_contents($pipes[1]);
-fclose($pipes[1]);
-proc_close($process);
+test_overflow(
+    'arrayType',
+    soap_response('SOAP-ENC:arrayType="xsd:string[2147483648]" xsi:type="SOAP-ENC:Array"')
+);
 
-$positionRequest = <<<XML
-<?xml version="1.0" encoding="UTF-8"?>
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
-                   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
-                   xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                   xmlns:ns1="http://example.org/"
-                   SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
-  <SOAP-ENV:Body>
-    <ns1:test>
-      <arg SOAP-ENC:arrayType="xsd:string[1]" xsi:type="SOAP-ENC:Array">
-        <item xsi:type="xsd:string" SOAP-ENC:position="[2147483647]">value</item>
-      </arg>
-    </ns1:test>
-  </SOAP-ENV:Body>
-</SOAP-ENV:Envelope>
-XML;
+test_overflow(
+    'offset',
+    soap_response('SOAP-ENC:arrayType="xsd:string[1]" SOAP-ENC:offset="[2147483648]" xsi:type="SOAP-ENC:Array"')
+);
 
-echo "position:\n";
-$process = proc_open([PHP_BINARY, ...$phpArgs], [
-    0 => ['pipe', 'r'],
-    1 => ['pipe', 'w'],
-], $pipes);
-fwrite($pipes[0], $positionRequest);
-fclose($pipes[0]);
-echo stream_get_contents($pipes[1]);
-fclose($pipes[1]);
-proc_close($process);
+test_overflow(
+    'position',
+    soap_response('SOAP-ENC:arrayType="xsd:string[1]" xsi:type="SOAP-ENC:Array"', 'SOAP-ENC:position="[2147483647]"')
+);
 ?>
 --EXPECT--
-arrayType:
-<?xml version="1.0" encoding="UTF-8"?>
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: array index out of range</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-offset:
-<?xml version="1.0" encoding="UTF-8"?>
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: array index out of range</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-position:
-<?xml version="1.0" encoding="UTF-8"?>
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: array index out of range</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+arrayType: SOAP-ERROR: Encoding: array index out of range
+offset: SOAP-ERROR: Encoding: array index out of range
+position: SOAP-ERROR: Encoding: array index out of range
