Bug #62475 [Com]: variant_* functions causes crash when null given as an argument

Wed, 20 Feb 2013 03:42:27 -0800 

Edit report at https://bugs.php.net/bug.php?id=62475&edit=1

 ID:                 62475
 Comment by:         user at kkdf2 dot sakura dot ne dot jp
 Reported by:        deadb17ch at gmail dot com
 Summary:            variant_* functions causes crash when null given as
                     an argument
 Status:             Open
 Type:               Bug
 Package:            COM related
 Operating System:   Windows XP SP3
 PHP Version:        5.4.4
 Block user comment: N
 Private report:     N

 New Comment:

z is NULL, and then Z_TYPE_P(z) gets access violation, because 
zend_parse_parameters eats "z!z!". It may be safe with "zz".

---
PHP_COM_DOTNET_API void php_com_variant_from_zval(VARIANT *v, zval *z, int 
codepage TSRMLS_DC)
{
        OLECHAR *olestring;
        php_com_dotnet_object *obj;
        
        switch (Z_TYPE_P(z)) {
                case IS_NULL:
                        V_VT(v) = VT_NULL;
                        break;
---


Previous Comments:
------------------------------------------------------------------------
[2012-07-03 20:56:12] deadb17ch at gmail dot com

Description:
------------
As we can read in the php manual : 

"As with all the variant arithmetic functions, the parameters for this function 
can be either a PHP native type (integer, string, floating point, boolean or 
NULL), or an instance of a COM, VARIANT or DOTNET class. ...."

but actuall php instance crashes when we give NULL as first or second argument 
to some of the functions from variant_* familly.

Thoes functions are: 

variant_neg
variant_pow
variant_cat
variant_div
variant_fix
variant_idiv
variant_imp
variant_int
variant_mod
variant_mul
variant_neg
variant_not
variant_rount
variant_set
variant_sub
variant_xor
variant_or 
variant_eqv 
variant_cmp 
variant_abs 
variant_and

Test script:
---------------
<?php variant_pow(null, 1); ?>

<?php variant_neg(null); ?>


Expected result:
----------------
nothing happens or an error occurs

Actual result:
--------------
crash

eax=00000000 ebx=01250080 ecx=00c0fac8 edx=1039bac6 esi=00000000 edi=00c0fac8
eip=100f4036 esp=00c0fa90 ebp=02296f08 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\\xampp\\php\\php5ts.dll - 
php5ts!php_com_variant_from_zval+0x6:
100f4036 0fb6460c        movzx   eax,byte ptr [esi+0Ch]     ds:0023:0000000c=??


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62475&edit=1

Reply via email to