php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38198 PHP may crash when COM reports an exception (With fix)
Submitted: 2006-07-24 19:08 UTC Modified: 2006-10-10 17:38 UTC
From: cosborne at gmail dot com Assigned:
Status: Closed Package: COM related
PHP Version: 5.1.4 OS: Windows XP/2K3
Private report: No CVE-ID: None
 [2006-07-24 19:08 UTC] cosborne at gmail dot com
Description:
------------
I reported this bug a few weeks ago (#37975), but it's still not been assigned, despite having added a fix to the report.

IDispatch_Invoke (ext\com_dotnet\com_com.c:346) is passed an uninitialized EXCEPINFO structure. If an exception occurs, as part of the exception handling process (wbemdisp!SetException), the string parameters of the EXCEPINFO structure are checked, and if they are non-zero, SysFreeString is called on the parameter. Since the passed EXCEPINFO structure is uninitialized the pointers are invalid and an access violation results.

To fix this bug, the EXCEPINFO structure needs to be zeroed before IDispatch_Invoke is called.

Reproduce code:
---------------
Whilst this bug could presumably occur at any time due to the "random" nature of the data that may be contained in the uninitialized structure, the following code causes an exception on every execution:

$wmiLocator = new COM("WbemScripting.SWbemLocator");
$wmi = $wmiLocator->ConnectServer(".","root/MicrosoftDNS");
$a_rr = $wmi->Get("MicrosoftDNS_AType");
$a_rr->CreateInstanceFromTextRepresentation("","example.com","[*already
existent domain name*] IN A 127.0.0.1");

Expected result:
----------------
The final call should result in a "Generic Failure" com_exception.

Actual result:
--------------
PHP crashes with an access violation.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-10-10 17:38 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC