Fix GH-22167: reject out-of-range SOAP schema integers

LamentXU123 · LamentXU123 · commit 5acf743f3136 · 2026-05-29T17:19:42.000+08:00
diff --git a/NEWS b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
     IntlCalendar::equals(), ::before(), ::after(), and ::isEquivalentTo().
     (Weilin Du)
 
+- SOAP:
+  . Fixed bug GH-22167 (Out-of-range XML Schema integer values were silently
+    accepted during WSDL parsing). (Weilin Du)
+
 - Zlib:
   . Fixed memory leak if deflate initialization fails and there is a dict.
     (ndossche)
diff --git a/ext/soap/php_schema.c b/ext/soap/php_schema.c
@@ -43,6 +43,30 @@ static int schema_restriction_var_char(xmlNodePtr val, sdlRestrictionCharPtr *va
 
 static void schema_type_fixup(sdlCtx *ctx, sdlTypePtr type);
 
+static int schema_parse_int(const xmlChar *value, const char *name)
+{
+	const char *str = (const char *) value;
+	zend_long lval = 0;
+	int oflow_info = 0;
+	uint8_t type = is_numeric_string_ex(str, strlen(str), &lval, NULL, true, &oflow_info, NULL);
+
+	if (oflow_info > 0 || (type == IS_LONG && ZEND_LONG_INT_OVFL(lval))) {
+		soap_error1(E_ERROR, "Parsing Schema: %s value is out of range", name);
+	}
+
+	if (type == IS_LONG) {
+		return (int) lval;
+	}
+
+	errno = 0;
+	lval = ZEND_STRTOL(str, NULL, 10);
+	if ((errno == ERANGE && lval > 0) || ZEND_LONG_INT_OVFL(lval)) {
+		soap_error1(E_ERROR, "Parsing Schema: %s value is out of range", name);
+	}
+
+	return (int) lval;
+}
+
 static encodePtr create_encoder(sdlPtr sdl, sdlTypePtr cur_type, const xmlChar *ns, const xmlChar *type)
 {
 	smart_str nscat = {0};
@@ -844,7 +868,7 @@ static int schema_restriction_var_int(xmlNodePtr val, sdlRestrictionIntPtr *valp
 		soap_error0(E_ERROR, "Parsing Schema: missing restriction value");
 	}
 
-	(*valptr)->value = atoi((char*)value->children->content);
+	(*valptr)->value = schema_parse_int(value->children->content, (const char *) val->name);
 
 	return TRUE;
 }
@@ -1006,7 +1030,7 @@ void schema_min_max(xmlNodePtr node, sdlContentModelPtr model)
 	xmlAttrPtr attr = get_attribute(node->properties, "minOccurs");
 
 	if (attr) {
-		model->min_occurs = atoi((char*)attr->children->content);
+		model->min_occurs = schema_parse_int(attr->children->content, "minOccurs");
 	} else {
 		model->min_occurs = 1;
 	}
@@ -1016,7 +1040,7 @@ void schema_min_max(xmlNodePtr node, sdlContentModelPtr model)
 		if (!strncmp((char*)attr->children->content, "unbounded", sizeof("unbounded"))) {
 			model->max_occurs = -1;
 		} else {
-			model->max_occurs = atoi((char*)attr->children->content);
+			model->max_occurs = schema_parse_int(attr->children->content, "maxOccurs");
 		}
 	} else {
 		model->max_occurs = 1;
diff --git a/ext/soap/tests/bugs/gh22167.phpt b/ext/soap/tests/bugs/gh22167.phpt
@@ -0,0 +1,119 @@
+--TEST--
+GH-22167 (Out-of-range XML Schema integer values in SOAP WSDL)
+--EXTENSIONS--
+soap
+--INI--
+soap.wsdl_cache_enabled=0
+--FILE--
+<?php
+function wsdl_with_schema(string $schema): string {
+    return <<<XML
+<?xml version="1.0"?>
+<definitions
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:tns="http://test-uri/"
+    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+    xmlns="http://schemas.xmlsoap.org/wsdl/"
+    targetNamespace="http://test-uri/">
+  <types>
+    <xsd:schema targetNamespace="http://test-uri/">
+      $schema
+    </xsd:schema>
+  </types>
+  <message name="m"><part name="p" type="tns:T"/></message>
+  <portType name="p"><operation name="op"><input message="tns:m"/></operation></portType>
+  <binding name="b" type="tns:p">
+    <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
+    <operation name="op">
+      <soap:operation soapAction="#op"/>
+      <input>
+        <soap:body use="encoded"
+                   namespace="http://test-uri/"
+                   encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
+      </input>
+    </operation>
+  </binding>
+  <service name="s"><port name="p" binding="tns:b"><soap:address location="test://"/></port></service>
+</definitions>
+XML;
+}
+
+function occurrence_schema(string $attribute, string $value = "2147483648"): string {
+    return <<<XML
+<xsd:complexType name="T">
+  <xsd:sequence>
+    <xsd:element name="x" type="xsd:string" $attribute="$value"/>
+  </xsd:sequence>
+</xsd:complexType>
+XML;
+}
+
+function restriction_schema(string $facet, string $value = "2147483648"): string {
+    return <<<XML
+<xsd:simpleType name="T">
+  <xsd:restriction base="xsd:int">
+    <xsd:$facet value="$value"/>
+  </xsd:restriction>
+</xsd:simpleType>
+XML;
+}
+
+$cases = [
+    "minOccurs" => occurrence_schema("minOccurs"),
+    "maxOccurs" => occurrence_schema("maxOccurs"),
+    "minExclusive" => restriction_schema("minExclusive"),
+    "minInclusive" => restriction_schema("minInclusive"),
+    "maxExclusive" => restriction_schema("maxExclusive"),
+    "maxInclusive" => restriction_schema("maxInclusive"),
+    "totalDigits" => restriction_schema("totalDigits"),
+    "fractionDigits" => restriction_schema("fractionDigits"),
+    "length" => restriction_schema("length"),
+    "minLength" => restriction_schema("minLength"),
+    "maxLength" => restriction_schema("maxLength"),
+];
+
+$numeric_string_cases = [
+    "leading whitespace numeric-string" => " 2147483648",
+    "leading plus numeric-string" => "+2147483648",
+    "leading zero numeric-string" => "00000000002147483648",
+    "leading numeric-string with trailing data" => "2147483648abc",
+    "decimal numeric-string" => "2147483648.0",
+    "exponent numeric-string" => "2147483648e0",
+];
+
+foreach ($numeric_string_cases as $name => $value) {
+    $cases[$name] = occurrence_schema("maxOccurs", $value);
+}
+
+foreach ($cases as $name => $schema) {
+    $file = tempnam(sys_get_temp_dir(), "wsdl");
+    file_put_contents($file, wsdl_with_schema($schema));
+
+    try {
+        new SoapClient($file, ["cache_wsdl" => WSDL_CACHE_NONE]);
+        echo "$name: parsed\n";
+    } catch (SoapFault $e) {
+        echo "$name: {$e->getMessage()}\n";
+    } finally {
+        unlink($file);
+    }
+}
+?>
+--EXPECT--
+minOccurs: SOAP-ERROR: Parsing Schema: minOccurs value is out of range
+maxOccurs: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+minExclusive: SOAP-ERROR: Parsing Schema: minExclusive value is out of range
+minInclusive: SOAP-ERROR: Parsing Schema: minInclusive value is out of range
+maxExclusive: SOAP-ERROR: Parsing Schema: maxExclusive value is out of range
+maxInclusive: SOAP-ERROR: Parsing Schema: maxInclusive value is out of range
+totalDigits: SOAP-ERROR: Parsing Schema: totalDigits value is out of range
+fractionDigits: SOAP-ERROR: Parsing Schema: fractionDigits value is out of range
+length: SOAP-ERROR: Parsing Schema: length value is out of range
+minLength: SOAP-ERROR: Parsing Schema: minLength value is out of range
+maxLength: SOAP-ERROR: Parsing Schema: maxLength value is out of range
+leading whitespace numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+leading plus numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+leading zero numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+leading numeric-string with trailing data: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+decimal numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+exponent numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
