php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62475 variant_* functions causes crash when null given as an argument
Submitted: 2012-07-03 20:56 UTC Modified: -
From: deadb17ch at gmail dot com Assigned:
Status: Closed Package: COM related
PHP Version: 5.4.4 OS: Windows XP SP3
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: deadb17ch at gmail dot com
New email:
PHP Version: OS:

 

 [2012-07-03 20:56 UTC] deadb17ch at gmail dot com 
Description:
------------
As we can read in the php manual : 

"As with all the variant arithmetic functions, the parameters for this function 
can be either a PHP native type (integer, string, floating point, boolean or 
NULL), or an instance of a COM, VARIANT or DOTNET class. ...."

but actuall php instance crashes when we give NULL as first or second argument 
to some of the functions from variant_* familly.

Thoes functions are: 

variant_neg
variant_pow
variant_cat
variant_div
variant_fix
variant_idiv
variant_imp
variant_int
variant_mod
variant_mul
variant_neg
variant_not
variant_rount
variant_set
variant_sub
variant_xor
variant_or 
variant_eqv 
variant_cmp 
variant_abs 
variant_and

Test script:
---------------
<?php variant_pow(null, 1); ?>

<?php variant_neg(null); ?>


Expected result:
----------------
nothing happens or an error occurs

Actual result:
--------------
crash

eax=00000000 ebx=01250080 ecx=00c0fac8 edx=1039bac6 esi=00000000 edi=00c0fac8
eip=100f4036 esp=00c0fa90 ebp=02296f08 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\\xampp\\php\\php5ts.dll - 
php5ts!php_com_variant_from_zval+0x6:
100f4036 0fb6460c        movzx   eax,byte ptr [esi+0Ch]     ds:0023:0000000c=??

Patches

patch-for-NULL-access (last revision 2013-02-20 11:45 UTC by user at kkdf2 dot sakura dot ne dot jp)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-02-20 11:42 UTC] user at kkdf2 dot sakura dot ne dot jp 
z is NULL, and then Z_TYPE_P(z) gets access violation, because zend_parse_parameters eats "z!z!". It may be safe with "zz".

---
PHP_COM_DOTNET_API void php_com_variant_from_zval(VARIANT *v, zval *z, int codepage TSRMLS_DC)
{
	OLECHAR *olestring;
	php_com_dotnet_object *obj;
	
	switch (Z_TYPE_P(z)) {
		case IS_NULL:
			V_VT(v) = VT_NULL;
			break;
---
 [2013-06-26 00:42 UTC] felipe@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=42896968282a607a26e4aa152d3c8dc90dad5826
Log: - Fixed bug #62475 (variant_* functions causes crash when null given as an argument)
 [2013-06-26 00:42 UTC] felipe@php.net
-Status: Open +Status: Closed
 [2014-10-07 23:18 UTC] stas@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=42896968282a607a26e4aa152d3c8dc90dad5826
Log: - Fixed bug #62475 (variant_* functions causes crash when null given as an argument)
 [2014-10-07 23:29 UTC] stas@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=42896968282a607a26e4aa152d3c8dc90dad5826
Log: - Fixed bug #62475 (variant_* functions causes crash when null given as an argument)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 02:01:29 2024 UTC