Fix phpGH-21421: SoapClient typemap property breaks engine assumptions

ndossche · ndossche · commit 8f9a8c00e79e · 2026-03-23T22:07:45.000+01:00
The conversion away from resources introduced the contents of the typemap property, which internally uses IS_PTR zvals. These should never be exposed because to userland they break engine assumptions. To solve this, we hide this in an internal field. We also disable cloning in the process which is broken in most cases because it doesn't clone internal data. Closes phpGH-21422.
diff --git a/NEWS b/NEWS
@@ -104,6 +104,8 @@ PHP                                                                        NEWS
 - Soap:
   . Soap::__setCookie() when cookie name is a digit is now not stored and
     represented as a string anymore but a int. (David Carlier)
+  . Fixed bug GH-21421 (SoapClient typemap property breaks engine assumptions).
+    (ndossche)
 
 - Sockets:
   . Added the TCP_USER_TIMEOUT constant for Linux to set the maximum time in
diff --git a/ext/soap/php_soap.h b/ext/soap/php_soap.h
@@ -226,35 +226,34 @@ static zend_always_inline zval *php_soap_deref(zval *zv) {
 #define Z_CLIENT_TRACE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 4)
 #define Z_CLIENT_COMPRESSION_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 5)
 #define Z_CLIENT_SDL_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 6)
-#define Z_CLIENT_TYPEMAP_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 7)
-#define Z_CLIENT_HTTPSOCKET_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 8)
-#define Z_CLIENT_HTTPURL_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 9)
-#define Z_CLIENT_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 10)
-#define Z_CLIENT_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 11)
-#define Z_CLIENT_USE_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 12)
-#define Z_CLIENT_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 13)
-#define Z_CLIENT_PROXY_HOST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 14)
-#define Z_CLIENT_PROXY_PORT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 15)
-#define Z_CLIENT_PROXY_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 16)
-#define Z_CLIENT_PROXY_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 17)
-#define Z_CLIENT_EXCEPTIONS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 18)
-#define Z_CLIENT_ENCODING_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 19)
-#define Z_CLIENT_CLASSMAP_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 20)
-#define Z_CLIENT_FEATURES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 21)
-#define Z_CLIENT_CONNECTION_TIMEOUT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 22)
-#define Z_CLIENT_STREAM_CONTEXT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 23)
-#define Z_CLIENT_USER_AGENT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 24)
-#define Z_CLIENT_KEEP_ALIVE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 25)
-#define Z_CLIENT_SSL_METHOD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 26)
-#define Z_CLIENT_SOAP_VERSION_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 27)
-#define Z_CLIENT_USE_PROXY_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 28)
-#define Z_CLIENT_COOKIES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 29)
-#define Z_CLIENT_DEFAULT_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 30)
-#define Z_CLIENT_SOAP_FAULT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 31)
-#define Z_CLIENT_LAST_REQUEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 32)
-#define Z_CLIENT_LAST_RESPONSE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 33)
-#define Z_CLIENT_LAST_REQUEST_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 34)
-#define Z_CLIENT_LAST_RESPONSE_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 35)
+#define Z_CLIENT_HTTPSOCKET_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 7)
+#define Z_CLIENT_HTTPURL_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 8)
+#define Z_CLIENT_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 9)
+#define Z_CLIENT_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 10)
+#define Z_CLIENT_USE_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 11)
+#define Z_CLIENT_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 12)
+#define Z_CLIENT_PROXY_HOST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 13)
+#define Z_CLIENT_PROXY_PORT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 14)
+#define Z_CLIENT_PROXY_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 15)
+#define Z_CLIENT_PROXY_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 16)
+#define Z_CLIENT_EXCEPTIONS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 17)
+#define Z_CLIENT_ENCODING_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 18)
+#define Z_CLIENT_CLASSMAP_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 19)
+#define Z_CLIENT_FEATURES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 20)
+#define Z_CLIENT_CONNECTION_TIMEOUT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 21)
+#define Z_CLIENT_STREAM_CONTEXT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 22)
+#define Z_CLIENT_USER_AGENT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 23)
+#define Z_CLIENT_KEEP_ALIVE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 24)
+#define Z_CLIENT_SSL_METHOD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 25)
+#define Z_CLIENT_SOAP_VERSION_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 26)
+#define Z_CLIENT_USE_PROXY_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 27)
+#define Z_CLIENT_COOKIES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 28)
+#define Z_CLIENT_DEFAULT_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 29)
+#define Z_CLIENT_SOAP_FAULT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 30)
+#define Z_CLIENT_LAST_REQUEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 31)
+#define Z_CLIENT_LAST_RESPONSE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 32)
+#define Z_CLIENT_LAST_REQUEST_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 33)
+#define Z_CLIENT_LAST_RESPONSE_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 34)
 
 typedef struct soap_url_object {
 	php_uri *uri;
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
@@ -190,6 +190,7 @@ zend_class_entry* soap_var_class_entry;
 zend_class_entry *soap_url_class_entry;
 zend_class_entry *soap_sdl_class_entry;
 
+static zend_object_handlers soap_client_object_handlers;
 static zend_object_handlers soap_server_object_handlers;
 static zend_object_handlers soap_url_object_handlers;
 static zend_object_handlers soap_sdl_object_handlers;
@@ -201,10 +202,36 @@ typedef struct {
 	zend_object std;
 } soap_server_object;
 
+typedef struct {
+	HashTable *typemap;
+	zend_object std;
+} soap_client_object;
+
+static inline soap_client_object *soap_client_object_fetch(zend_object *obj) {
+	return (soap_client_object *) ((char *) obj - XtOffsetOf(soap_client_object, std));
+}
+
 static inline soap_server_object *soap_server_object_fetch(zend_object *obj) {
 	return (soap_server_object *) ((char *) obj - XtOffsetOf(soap_server_object, std));
 }
 
+static zend_object *soap_client_object_create(zend_class_entry *ce)
+{
+	soap_client_object *obj = zend_object_alloc(sizeof(soap_client_object), ce);
+	zend_object_std_init(&obj->std, ce);
+	object_properties_init(&obj->std, ce);
+	return &obj->std;
+}
+
+static void soap_client_object_free(zend_object *obj) {
+	soap_client_object *client_obj = soap_client_object_fetch(obj);
+	if (client_obj->typemap) {
+		zend_hash_destroy(client_obj->typemap);
+		FREE_HASHTABLE(client_obj->typemap);
+	}
+	zend_object_std_dtor(obj);
+}
+
 static zend_object *soap_server_object_create(zend_class_entry *ce)
 {
 	soap_server_object *obj = zend_object_alloc(sizeof(soap_server_object), ce);
@@ -503,6 +530,13 @@ PHP_MINIT_FUNCTION(soap)
 
 	/* Register SoapClient class */
 	soap_class_entry = register_class_SoapClient();
+	soap_class_entry->create_object = soap_client_object_create;
+	soap_class_entry->default_object_handlers = &soap_client_object_handlers;
+
+	memcpy(&soap_client_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
+	soap_client_object_handlers.offset = XtOffsetOf(soap_client_object, std);
+	soap_client_object_handlers.free_obj = soap_client_object_free;
+	soap_client_object_handlers.clone_obj = NULL;
 
 	/* Register SoapVar class */
 	soap_var_class_entry = register_class_SoapVar();
@@ -1993,6 +2027,7 @@ PHP_FUNCTION(is_soap_fault)
 /* SoapClient functions */
 
 /* {{{ SoapClient constructor */
+/* FIXME: double construct call will break this class */
 PHP_METHOD(SoapClient, __construct)
 {
 
@@ -2216,10 +2251,7 @@ PHP_METHOD(SoapClient, __construct)
 	}
 
 	if (typemap_ht) {
-		HashTable *typemap = soap_create_typemap(sdl, typemap_ht);
-		if (typemap) {
-			ZVAL_ARR(Z_CLIENT_TYPEMAP_P(this_ptr), typemap);
-		}
+		soap_client_object_fetch(Z_OBJ_P(this_ptr))->typemap = soap_create_typemap(sdl, typemap_ht);
 	}
 	SOAP_CLIENT_END_CODE();
 }
@@ -2347,10 +2379,7 @@ static void do_soap_call(zend_execute_data *execute_data,
 		sdl = Z_SOAP_SDL_P(tmp)->sdl;
 	}
 
-	tmp = Z_CLIENT_TYPEMAP_P(this_ptr);
-	if (Z_TYPE_P(tmp) == IS_ARRAY) {
-		typemap = Z_ARR_P(tmp);
-	}
+	typemap = soap_client_object_fetch(Z_OBJ_P(this_ptr))->typemap;
 
 	clear_soap_fault(this_ptr);
 
diff --git a/ext/soap/soap.stub.php b/ext/soap/soap.stub.php
@@ -541,7 +541,6 @@ class SoapClient
         private bool $trace = false;
         private ?int $compression = null;
         private ?Soap\Sdl $sdl = null;
-        private ?array $typemap = null;
         /** @var resource|null */
         private $httpsocket = null;
         private ?Soap\Url $httpurl = null;
diff --git a/ext/soap/soap_arginfo.h b/ext/soap/soap_arginfo.h
diff --git a/ext/soap/tests/bugs/gh21421.phpt b/ext/soap/tests/bugs/gh21421.phpt
@@ -0,0 +1,90 @@
+--TEST--
+GH-21421 (SoapClient typemap property breaks engine assumptions)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+$options = array(
+'uri'      => 'http://schemas.nothing.com',
+'location' => 'test://',
+'typemap'  => array(array("type_ns"   => "http://schemas.nothing.com",
+"type_name" => "book",
+"from_xml"  => "book_from_xml"))
+);
+$client = new SoapClient(NULL, $options);
+var_dump($client);
+?>
+--EXPECTF--
+object(SoapClient)#%d (35) {
+  ["uri":"SoapClient":private]=>
+  string(26) "http://schemas.nothing.com"
+  ["style":"SoapClient":private]=>
+  NULL
+  ["use":"SoapClient":private]=>
+  NULL
+  ["location":"SoapClient":private]=>
+  string(7) "test://"
+  ["trace":"SoapClient":private]=>
+  bool(false)
+  ["compression":"SoapClient":private]=>
+  NULL
+  ["sdl":"SoapClient":private]=>
+  NULL
+  ["httpsocket":"SoapClient":private]=>
+  NULL
+  ["httpurl":"SoapClient":private]=>
+  NULL
+  ["_login":"SoapClient":private]=>
+  NULL
+  ["_password":"SoapClient":private]=>
+  NULL
+  ["_use_digest":"SoapClient":private]=>
+  bool(false)
+  ["_digest":"SoapClient":private]=>
+  NULL
+  ["_proxy_host":"SoapClient":private]=>
+  NULL
+  ["_proxy_port":"SoapClient":private]=>
+  NULL
+  ["_proxy_login":"SoapClient":private]=>
+  NULL
+  ["_proxy_password":"SoapClient":private]=>
+  NULL
+  ["_exceptions":"SoapClient":private]=>
+  bool(true)
+  ["_encoding":"SoapClient":private]=>
+  NULL
+  ["_classmap":"SoapClient":private]=>
+  NULL
+  ["_features":"SoapClient":private]=>
+  NULL
+  ["_connection_timeout":"SoapClient":private]=>
+  int(0)
+  ["_stream_context":"SoapClient":private]=>
+  resource(%d) of type (stream-context)
+  ["_user_agent":"SoapClient":private]=>
+  NULL
+  ["_keep_alive":"SoapClient":private]=>
+  bool(true)
+  ["_ssl_method":"SoapClient":private]=>
+  NULL
+  ["_soap_version":"SoapClient":private]=>
+  int(1)
+  ["_use_proxy":"SoapClient":private]=>
+  NULL
+  ["_cookies":"SoapClient":private]=>
+  array(0) {
+  }
+  ["__default_headers":"SoapClient":private]=>
+  NULL
+  ["__soap_fault":"SoapClient":private]=>
+  NULL
+  ["__last_request":"SoapClient":private]=>
+  NULL
+  ["__last_response":"SoapClient":private]=>
+  NULL
+  ["__last_request_headers":"SoapClient":private]=>
+  NULL
+  ["__last_response_headers":"SoapClient":private]=>
+  NULL
+}
