Reject Negative values

Author: LamentXU123

NEWS

@@ -177,7 +177,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-21421 (SoapClient typemap property breaks engine assumptions).
     (ndossche)
   . Fixed bug GH-22167 (Out-of-range XML Schema integer values were silently
-    accepted during WSDL parsing). (Weilin Du)
+    accepted during WSDL parsing; negative occurrence values are now rejected).
+    (Weilin Du)
 
 - Sockets:
   . Added the TCP_USER_TIMEOUT constant for Linux to set the maximum time in

UPGRADING

@@ -341,6 +341,11 @@ PHP 8.6 UPGRADE NOTES
 - mysqli
   . Added new constant MYSQLI_OPT_COMPRESS.
 
+- Soap:
+  . WSDL/XML Schema parsing now rejects out-of-range integer values for
+    occurrence constraints and integer restriction facets. Negative minOccurs
+    and maxOccurs values are rejected as well.
+
 ========================================
 10. New Global Constants
 ========================================

ext/soap/php_schema.c

@@ -53,24 +53,29 @@ static bool node_is_equal_xsd(xmlNodePtr node, const char *name)
 	return node_is_equal_ex_one_of(node, name, ns);
 }
 
-static int schema_parse_int(const xmlChar *value, const char *name)
+static int schema_parse_int(const xmlChar *value, const char *name, bool allow_negative)
 {
 	const char *str = (const char *) value;
 	zend_long lval = 0;
 	int oflow_info = 0;
 	uint8_t type = is_numeric_string_ex(str, strlen(str), &lval, NULL, true, &oflow_info, NULL);
 
-	if (oflow_info > 0 || (type == IS_LONG && ZEND_LONG_INT_OVFL(lval))) {
+	if (oflow_info || (type == IS_LONG && ZEND_LONG_EXCEEDS_INT(lval))) {
 		soap_error1(E_ERROR, "Parsing Schema: %s value is out of range", name);
 	}
 
 	if (type == IS_LONG) {
+		if (!allow_negative && lval < 0) {
+			soap_error1(E_ERROR, "Parsing Schema: %s value is out of range", name);
+		}
 		return (int) lval;
 	}
 
 	errno = 0;
 	lval = ZEND_STRTOL(str, NULL, 10);
-	if ((errno == ERANGE && lval > 0) || ZEND_LONG_INT_OVFL(lval)) {
+	if ((errno == ERANGE && (lval > 0 || lval < 0))
+			|| ZEND_LONG_EXCEEDS_INT(lval)
+			|| (!allow_negative && lval < 0)) {
 		soap_error1(E_ERROR, "Parsing Schema: %s value is out of range", name);
 	}
 
@@ -878,7 +883,7 @@ static int schema_restriction_var_int(xmlNodePtr val, sdlRestrictionIntPtr *valp
 		soap_error0(E_ERROR, "Parsing Schema: missing restriction value");
 	}
 
-	(*valptr)->value = schema_parse_int(value->children->content, (const char *) val->name);
+	(*valptr)->value = schema_parse_int(value->children->content, (const char *) val->name, true);
 
 	return TRUE;
 }
@@ -1040,7 +1045,7 @@ void schema_min_max(xmlNodePtr node, sdlContentModelPtr model)
 	xmlAttrPtr attr = get_attribute(node->properties, "minOccurs");
 
 	if (attr) {
-		model->min_occurs = schema_parse_int(attr->children->content, "minOccurs");
+		model->min_occurs = schema_parse_int(attr->children->content, "minOccurs", false);
 	} else {
 		model->min_occurs = 1;
 	}
@@ -1050,7 +1055,7 @@ void schema_min_max(xmlNodePtr node, sdlContentModelPtr model)
 		if (!strncmp((char*)attr->children->content, "unbounded", sizeof("unbounded"))) {
 			model->max_occurs = -1;
 		} else {
-			model->max_occurs = schema_parse_int(attr->children->content, "maxOccurs");
+			model->max_occurs = schema_parse_int(attr->children->content, "maxOccurs", false);
 		}
 	} else {
 		model->max_occurs = 1;

ext/soap/tests/bugs/gh22167.phpt

@@ -61,6 +61,8 @@ XML;
 $cases = [
     "minOccurs" => occurrence_schema("minOccurs"),
     "maxOccurs" => occurrence_schema("maxOccurs"),
+    "negative minOccurs" => occurrence_schema("minOccurs", "-1"),
+    "negative maxOccurs" => occurrence_schema("maxOccurs", "-1"),
     "minExclusive" => restriction_schema("minExclusive"),
     "minInclusive" => restriction_schema("minInclusive"),
     "maxExclusive" => restriction_schema("maxExclusive"),
@@ -77,6 +79,7 @@ $numeric_string_cases = [
     "leading plus numeric-string" => "+2147483648",
     "leading zero numeric-string" => "00000000002147483648",
     "leading numeric-string with trailing data" => "2147483648abc",
+    "negative out-of-range numeric-string" => "-2147483649",
     "decimal numeric-string" => "2147483648.0",
     "exponent numeric-string" => "2147483648e0",
 ];
@@ -104,6 +107,8 @@ foreach ($cases as $name => $schema) {
 --EXPECT--
 minOccurs: SOAP-ERROR: Parsing Schema: minOccurs value is out of range
 maxOccurs: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+negative minOccurs: SOAP-ERROR: Parsing Schema: minOccurs value is out of range
+negative maxOccurs: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
 minExclusive: SOAP-ERROR: Parsing Schema: minExclusive value is out of range
 minInclusive: SOAP-ERROR: Parsing Schema: minInclusive value is out of range
 maxExclusive: SOAP-ERROR: Parsing Schema: maxExclusive value is out of range
@@ -117,6 +122,7 @@ leading whitespace numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value i
 leading plus numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
 leading zero numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
 leading numeric-string with trailing data: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
+negative out-of-range numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
 decimal numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
 exponent numeric-string: SOAP-ERROR: Parsing Schema: maxOccurs value is out of range
 fractional numeric-string within int range: parsed