php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31636 Type cast is unchecked
Submitted: 2005-01-21 15:25 UTC Modified: 2005-04-18 18:26 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ivar at stvk dot no Assigned: wez (profile)
Status: Closed Package: COM related
PHP Version: 5.0.3 OS: Windows XP
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ivar at stvk dot no
New email:
PHP Version: OS:

 

 [2005-01-21 15:25 UTC] ivar at stvk dot no 
Description:
------------
com_object_cast is at least called by zend_make_printable_zval. In this context, it appears that the contract of the handler is to return a zval with the the specified type. If not able to return the value, it should return FAILURE.

The handler will return a valid zval with wrong type if VariantChangeType fails, or if the requested cast type is not supported.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-23 18:05 UTC] ivar at stvk dot no 
There seems to be a misconception in the COM code that a IDispatch variable with VARDESC.wVarFlags = VARFLAG_FDEFAULTBIND is the value to return as the object's default value. Default binding is used as a flag on ActiveX Control Properties to tell which control property that is to be bound to a datasource. This kind of binding may be either a variable (VARDESC) or a function (FUNCDESC).

The code looks like the programmer has intended to fetch the objects default value. This value is by OLE Automation defined as having DISPID = DISPID_VALUE. 

com_write_dimension and com_read_dimension should be rewritten to call php_com_do_invoke_by_id using DISPID_VALUE.

com_object_cast should be rewritten to use VariantChangeType directly to do the cast:

static int com_object_cast(zval *readobj, zval *writeobj, int type, int should_free TSRMLS_DC)
{
	php_com_dotnet_object *obj;
	VARIANT v;
	VARTYPE vt = VT_EMPTY;
	int ret;
	HRESULT hr;

	if (should_free) {
		zval_dtor(writeobj);
	}

	ZVAL_NULL(writeobj);

	obj = CDNO_FETCH(readobj);
	VariantInit(&v);

	switch(type) {
		case IS_LONG:
			vt = VT_INT;
			break;
		case IS_DOUBLE:
			vt = VT_R8;
			break;
		case IS_BOOL:
			vt = VT_BOOL;
			break;
		case IS_STRING:
			vt = VT_BSTR;
			break;
		default:
			return FAILURE;
	}

	if (FAILED(hr=VariantChangeType(&v, &obj->v, 0, vt))) {
		return FAILURE;
	}

	ret = php_com_zval_from_variant(writeobj, &v, obj->code_page TSRMLS_CC);
	VariantClear(&v);
	return ret;
}

This also makes com_object_cast to obey the rule of returning FAILURE if it is unable to return the required zval type.
 [2005-01-26 11:15 UTC] edink@php.net 
Wez, could you have a look?
 [2005-02-06 04:01 UTC] fsleng at supmano dot sk 
This seems to be related to Bug#29583 (com_dotnet crashes when trying to strlen).
 [2005-04-18 18:26 UTC] wez@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 04:00:01 2025 UTC