<?php$wsdl =__DIR__."/bug35142.wsdl";class TestSoapClientextends SoapClient {}$soapClient =newTestSoapClient($wsdl,array('trace' =>1,'exceptions' =>0,'classmap' =>array('logOnEvent' =>'LogOnEvent','events' =>'IVREvents'),'features' =>SOAP_SINGLE_ELEMENT_ARRAYS));$timestamp =newLogOnEvent(34567,$timestamp);$logOffEvents[] =newLogOffEvent(34567,$timestamp,"Smoked");$logOffEvents[] =newLogOffEvent(34568,$timestamp,"SmokeFree");$ivrEvents =newIVREvents("1.0",101,12345,'IVR',$logOnEvent,$logOffEvents);$result =$soapClient->PostEvents($ivrEvents);class LogOffEvent {function__construct($audienceMemberId,$timestamp,$smokeStatus) {$this->timestamp =$timestamp;}}class LogOnEvent {}class IVREvents {function__construct($version,$activityId,$messageId,$source,$timestamp=NULL,$logOffEvent=NULL) {$this->logOffEvent =$logOffEvent;}}

===================================================================3374891==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000077f18 at pc 0x000002ac1b98 bp 0x7fff2031d110 sp 0x7fff2031d108READ of size 8 at 0x60c000077f18 thread T0    #0 0x2ac1b97 in soap_check_zval_ref /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:299:32    #1 0x2a7270b in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1914:7    #2 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #3 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #4 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #5 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16    #6 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #7 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #8 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #9 0x2a73f65 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1958:16    #10 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #11 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #12 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #13 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16    #14 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #15 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #16 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #17 0x2ac677e in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1678:19    #18 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10    #19 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10    #20 0x2a736b2 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1946:5    #21 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #22 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #23 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #24 0x2c9bd88 in serialize_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4176:13    #25 0x2c99dc0 in serialize_parameter /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4147:13    #26 0x2c91bec in serialize_function_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4010:12    #27 0x2c89503 in do_soap_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2387:16    #28 0x2c61db0 in soap_client_call_common /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2562:2    #29 0x2c6081a in zim_SoapClient___call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2582:2    #30 0x4f976ce in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3618:4    #31 0x4a3d293 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58666:12    #32 0x4a3f81c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64355:2    #33 0x57b1f89 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3    #34 0x3faef6a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13    #35 0x3fb00a8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9    #36 0x57c6e9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5    #37 0x57c127f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18    #38 0x713c49a54d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16    #39 0x713c49a54e3f in __libc_start_main csu/../csu/libc-start.c:392:3    #40 0x606164 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606164)0x60c000077f18 is located 88 bytes inside of 120-byte region [0x60c000077ec0,0x60c000077f38)freed by thread T0 here:    #0 0x680dc2 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680dc2)    #1 0x2a74fea in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1977:8    #2 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #3 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #4 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #5 0x2a7209d in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1894:16    #6 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #7 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #8 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #9 0x2ac677e in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1678:19    #10 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10    #11 0x2acafe8 in model_to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1772:10    #12 0x2a736b2 in to_xml_object /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:1946:5    #13 0x2a9deb2 in sdl_guess_convert_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:3346:12    #14 0x2a973e1 in master_to_xml_int /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:505:11    #15 0x2a90b10 in master_to_xml /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:516:9    #16 0x2c9bd88 in serialize_zval /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4176:13    #17 0x2c99dc0 in serialize_parameter /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4147:13    #18 0x2c91bec in serialize_function_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:4010:12    #19 0x2c89503 in do_soap_call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2387:16    #20 0x2c61db0 in soap_client_call_common /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2562:2    #21 0x2c6081a in zim_SoapClient___call /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/soap.c:2582:2    #22 0x4f976ce in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3618:4    #23 0x4a3d293 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58666:12    #24 0x4a3f81c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64355:2    #25 0x57b1f89 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1943:3    #26 0x3faef6a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2594:13    #27 0x3fb00a8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2634:9    #28 0x57c6e9a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:952:5    #29 0x57c127f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1363:18previously allocated by thread T0 here:    #0 0x68102d in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x68102d)    #1 0x713c4a4b05f4 in xmlNewNode (/lib/x86_64-linux-gnu/libxml2.so.2+0x625f4)SUMMARY: AddressSanitizer: heap-use-after-free /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/soap/php_encoding.c:299:32 in soap_check_zval_refShadow bytes around the buggy address:  0x0c1880006f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa  0x0c1880006fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd  0x0c1880006fb0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa  0x0c1880006fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa  0x0c1880006fd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd=>0x0c1880006fe0: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa  0x0c1880006ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa  0x0c1880007000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd  0x0c1880007010: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa  0x0c1880007020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa  0x0c1880007030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fdShadow byte legend (one shadow byte represents 8 application bytes):  Addressable:           00  Partially addressable: 01 02 03 04 05 06 07   Heap left redzone:       fa  Freed heap region:       fd  Stack left redzone:      f1  Stack mid redzone:       f2  Stack right redzone:     f3  Stack after return:      f5  Stack use after scope:   f8  Global redzone:          f9  Global init order:       f6  Poisoned by user:        f7  Container overflow:      fc  Array cookie:            ac  Intra object redzone:    bb  ASan internal:           fe  Left alloca redzone:     ca  Right alloca redzone:    cb  Shadow gap:              cc==3374891==ABORTING

./php-src/sapi/cli/php  ./test.php

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

dfff6ac852a23c6e33c06c7716d095ad4a7166d8