ext/soap: Fix SOAP array index integer overflow

Author: LamentXU123

NEWS

@@ -147,6 +147,7 @@ PHP                                                                        NEWS
 - Soap:
   . Soap::__setCookie() when cookie name is a digit is now not stored and
     represented as a string anymore but a int. (David Carlier)
+  . Fixed integer overflow when decoding SOAP array indexes. (Weilin Du)
   . Fixed bug GH-21421 (SoapClient typemap property breaks engine assumptions).
     (ndossche)
 

ext/soap/php_encoding.c

@@ -14,6 +14,7 @@
   +----------------------------------------------------------------------+
 */
 
+#include <limits.h>
 #include <time.h>
 
 #include "php_soap.h"
@@ -2048,6 +2049,15 @@ static int calc_dimension_12(const char* str)
 	return i;
 }
 
+static void soap_array_position_add_digit(int *position, int digit)
+{
+	if (*position > (INT_MAX - digit) / 10) {
+		soap_error0(E_ERROR, "Encoding: array index out of range");
+	}
+
+	*position = (*position * 10) + digit;
+}
+
 static int* get_position_12(int dimension, const char* str)
 {
 	int *pos;
@@ -2068,7 +2078,7 @@ static int* get_position_12(int dimension, const char* str)
 				i++;
 				flag = 1;
 			}
-			pos[i] = (pos[i]*10)+(*str-'0');
+			soap_array_position_add_digit(&pos[i], *str - '0');
 		} else if (*str == '*') {
 			soap_error0(E_ERROR, "Encoding: '*' may only be first arraySize value in list");
 		} else {
@@ -2098,7 +2108,7 @@ static void get_position_ex(int dimension, const char* str, int** pos)
 	memset(*pos,0,sizeof(int)*dimension);
 	while (*str != ']' && *str != '\0' && i < dimension) {
 		if (*str >= '0' && *str <= '9') {
-			(*pos)[i] = ((*pos)[i]*10)+(*str-'0');
+			soap_array_position_add_digit(&(*pos)[i], *str - '0');
 		} else if (*str == ',') {
 			i++;
 		}
@@ -2686,12 +2696,14 @@ static zval *to_zval_array(zval *ret, encodeTypePtr type, xmlNodePtr data)
 			i = dimension;
 			while (i > 0) {
 			  i--;
+				if (pos[i] == INT_MAX) {
+					soap_error0(E_ERROR, "Encoding: array index out of range");
+				}
 			  pos[i]++;
 				if (pos[i] >= dims[i]) {
 					if (i > 0) {
 						pos[i] = 0;
 					} else {
-						/* TODO: Array index overflow */
 					}
 				} else {
 				  break;

ext/soap/tests/soap_array_index_overflow.phpt

@@ -0,0 +1,69 @@
+--TEST--
+SOAP array index overflow is rejected
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+class TestSoapClient extends SoapClient {
+    public string $response;
+
+    public function __doRequest($request, $location, $action, $version, $one_way = false, ?string $uriParserClass = null): string {
+        return $this->response;
+    }
+}
+
+function soap_response(string $attributes, string $itemAttributes = ''): string {
+    return <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+                   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+                   xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xmlns:ns1="http://example.org/"
+                   SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+  <SOAP-ENV:Body>
+    <ns1:testResponse>
+      <return $attributes>
+        <item xsi:type="xsd:string" $itemAttributes>value</item>
+      </return>
+    </ns1:testResponse>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+XML;
+}
+
+function test_overflow(string $name, string $response): void {
+    $client = new TestSoapClient(NULL, [
+        'location' => 'test://',
+        'uri' => 'http://example.org/',
+        'exceptions' => true,
+    ]);
+    $client->response = $response;
+
+    try {
+        $client->test();
+        echo "$name: no fault\n";
+    } catch (SoapFault $e) {
+        echo "$name: $e->faultstring\n";
+    }
+}
+
+test_overflow(
+    'arrayType',
+    soap_response('SOAP-ENC:arrayType="xsd:string[2147483648]" xsi:type="SOAP-ENC:Array"')
+);
+
+test_overflow(
+    'offset',
+    soap_response('SOAP-ENC:arrayType="xsd:string[1]" SOAP-ENC:offset="[2147483648]" xsi:type="SOAP-ENC:Array"')
+);
+
+test_overflow(
+    'position',
+    soap_response('SOAP-ENC:arrayType="xsd:string[1]" xsi:type="SOAP-ENC:Array"', 'SOAP-ENC:position="[2147483647]"')
+);
+?>
+--EXPECT--
+arrayType: SOAP-ERROR: Encoding: array index out of range
+offset: SOAP-ERROR: Encoding: array index out of range
+position: SOAP-ERROR: Encoding: array index out of range