PHP :: Bug #31635 :: Unsafe coding practice

Bug #31635

Unsafe coding practice

Submitted:

2005-01-21 15:15 UTC

Modified:

2005-03-07 14:02 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

ivar at stvk dot no

Assigned:

Status:

Not a bug

Package:

Scripting Engine problem

PHP Version:

5CVS-2005-03-01

OS:

Irrelevant (WinXP)

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ivar at stvk dot no
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-01-21 15:15 UTC] ivar at stvk dot no

Description:
------------
zend_make_printable_zval:

Before returning with *use_copy=1, this function assumes that the preceding code has successfully converted the value to a sting, and therefore sets expr_copy->type = IS_STRING.

If the original value IS_OBJECT, this function relies on any 3rd party cast handler to successfully return a string.
Some libraries have been observed to break this rule, and return a value only initialized by ZVAL_NULL. This makes the system try to print a string from a garbage pointer.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-25 08:53 UTC] ivar at stvk dot no

To reproduce the bug, use this script. Let 'TestDatabase' be any kind of database, and let the table field 'Table'.'NullField' be any database field that contains a NULL value.

<?php
try {
$DB = new COM("ADODB.Connection") or die("Cannot start ADO");
$DB->Open("DRIVER={SQL Server};SERVER=SERVER\WEB;DATABASE=TestDatabase");

$RS = new COM("ADODB.Recordset");
$RS->Open("SELECT TEXT FROM Table", $DB);

echo $RS["NullField"];

} catch (Exception $e) {
	echo $e->getTraceAsString() . "<br>";
	echo $e->getMessage();
}
?>

[2005-01-29 20:41 UTC] tony2001@php.net

Could you please provide an example that doesn't require any external resources (especially those that exist only under a particular OS) ?
Also please post what you expect and what you got when you execute the reproduce code.

[2005-01-31 08:49 UTC] ivar at stvk dot no

The only way I am able to reproduce this behavior is using COM, but the nature of the bug is not directly linked to the COM libraries itself.
Because of this, I am unable to make a test case that is platform independent and that does not require external resources.

I will try just once more:
Create a Visual Basic ActiveX DLL project. Name the project 'NullClass', and name the class 'Null'. Add this single function to the class code:

Public Property Get Value()
    Value = Null
End Property

Place the cursor inside the function, Click the menu "Tools", "Procedure Properties", "Advanced", and select "User Interface Default". Click "File", "Make NullClass.dll".

Then run this PHP script:

<?php
$Obj = new COM('NullClass.Null');
echo $Obj;
?>

EXPECTED: The script does not output anything, because the object contains a NULL value.

ACTUAL: The script either outputs garbage or causes an Access Violation message.

[2005-02-28 20:59 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

[2005-03-01 09:55 UTC] ivar at stvk dot no

There seems to be no change in the latest (5.1.x) snapshot, compiled 1 march 2005 7:55 GMT.

[2005-03-01 10:12 UTC] tony2001@php.net

Please provide a patch or at least reproduce code that doesn't require Windoze.

[2005-03-01 11:18 UTC] ivar at stvk dot no

ZEND_API void zend_make_printable_zval(zval *expr, zval *expr_copy, int *use_copy)
{
...
...
case IS_OBJECT:
{
...
...
if (Z_OBJ_HANDLER_P(expr, cast_object)) {
if( (Z_OBJ_HANDLER_P(expr, cast_object)(expr, expr_copy, IS_STRING, 0 TSRMLS_CC) == SUCCESS) &&
   (expr_copy->type == IS_STRING)) {
		break;
}
}

[2005-03-06 20:03 UTC] sniper@php.net

You're still pasting some C source code. Can you please explain what you want to say? Is that last comment a patch or reproduce code? (never heard of 'diff' utility?)

[2005-03-07 08:42 UTC] ivar at stvk dot no

Then just forget it, if you cannot just read my first post and just go into the code and see what is there.

[2005-03-07 14:02 UTC] tony2001@php.net

It's bogus, since you can't explain what are you talking about.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 15 16:01:33 2025 UTC