gh12392.phpt - OpenGrok history log for /php-src/ext/soap/tests/gh12392.phpt

Revision		Date	Author	Comments
# 7e4a3236		10-Oct-2023	Niels Dossche <7771979+nielsdos@users.noreply.github.com>	Fix GH-12392: Segmentation fault on SoapClient::__getTypes There are two issues: - UAF because the hashmap resized while being iterated over, yet the local variables used internall Fix GH-12392: Segmentation fault on SoapClient::__getTypes There are two issues: - UAF because the hashmap resized while being iterated over, yet the local variables used internally in the macros are not updated. - The hashmap being iterated over is modified: entries are deleted after other entries have been added. This causes the deletion to fail sometimes because indices of buckets have shifted. Fix it by using a while loop iteration and HashPosition position tracker instead. Issue exists on PHP 8.1 too, but is much harder to trigger. The test file reproduces the issue reliably on PHP 8.2 and up. Closes GH-12409. show more ...

Revision

Date

Author

Comments

# 7e4a3236

10-Oct-2023

Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-12392: Segmentation fault on SoapClient::__getTypes

There are two issues:
- UAF because the hashmap resized while being iterated over, yet the local
variables used internall

Fix GH-12392: Segmentation fault on SoapClient::__getTypes

There are two issues:
- UAF because the hashmap resized while being iterated over, yet the local
variables used internally in the macros are not updated.
- The hashmap being iterated over is modified: entries are deleted after
other entries have been added. This causes the deletion to fail sometimes
because indices of buckets have shifted.

Fix it by using a while loop iteration and HashPosition position tracker
instead.
Issue exists on PHP 8.1 too, but is much harder to trigger.
The test file reproduces the issue reliably on PHP 8.2 and up.

Closes GH-12409.