php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62475 variant_* functions causes crash when null given as an argument
Submitted: 2012-07-03 20:56 UTC Modified: -
From: deadb17ch at gmail dot com Assigned:
Status: Closed Package: COM related
PHP Version: 5.4.4 OS: Windows XP SP3
Private report: No CVE-ID: None
 [2012-07-03 20:56 UTC] deadb17ch at gmail dot com
Description:
------------
As we can read in the php manual : 

"As with all the variant arithmetic functions, the parameters for this function 
can be either a PHP native type (integer, string, floating point, boolean or 
NULL), or an instance of a COM, VARIANT or DOTNET class. ...."

but actuall php instance crashes when we give NULL as first or second argument 
to some of the functions from variant_* familly.

Thoes functions are: 

variant_neg
variant_pow
variant_cat
variant_div
variant_fix
variant_idiv
variant_imp
variant_int
variant_mod
variant_mul
variant_neg
variant_not
variant_rount
variant_set
variant_sub
variant_xor
variant_or 
variant_eqv 
variant_cmp 
variant_abs 
variant_and

Test script:
---------------
<?php variant_pow(null, 1); ?>

<?php variant_neg(null); ?>


Expected result:
----------------
nothing happens or an error occurs

Actual result:
--------------
crash

eax=00000000 ebx=01250080 ecx=00c0fac8 edx=1039bac6 esi=00000000 edi=00c0fac8
eip=100f4036 esp=00c0fa90 ebp=02296f08 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\\xampp\\php\\php5ts.dll - 
php5ts!php_com_variant_from_zval+0x6:
100f4036 0fb6460c        movzx   eax,byte ptr [esi+0Ch]     ds:0023:0000000c=??

Patches

patch-for-NULL-access (last revision 2013-02-20 11:45 UTC by user at kkdf2 dot sakura dot ne dot jp)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-02-20 11:42 UTC] user at kkdf2 dot sakura dot ne dot jp
z is NULL, and then Z_TYPE_P(z) gets access violation, because zend_parse_parameters eats "z!z!". It may be safe with "zz".

---
PHP_COM_DOTNET_API void php_com_variant_from_zval(VARIANT *v, zval *z, int codepage TSRMLS_DC)
{
	OLECHAR *olestring;
	php_com_dotnet_object *obj;
	
	switch (Z_TYPE_P(z)) {
		case IS_NULL:
			V_VT(v) = VT_NULL;
			break;
---
 [2013-06-26 00:42 UTC] felipe@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=42896968282a607a26e4aa152d3c8dc90dad5826
Log: - Fixed bug #62475 (variant_* functions causes crash when null given as an argument)
 [2013-06-26 00:42 UTC] felipe@php.net
-Status: Open +Status: Closed
 [2014-10-07 23:18 UTC] stas@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=42896968282a607a26e4aa152d3c8dc90dad5826
Log: - Fixed bug #62475 (variant_* functions causes crash when null given as an argument)
 [2014-10-07 23:29 UTC] stas@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=42896968282a607a26e4aa152d3c8dc90dad5826
Log: - Fixed bug #62475 (variant_* functions causes crash when null given as an argument)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC