php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29392 com_method_get() appears to not handle non-existant method properly
Submitted: 2004-07-26 18:56 UTC Modified: 2004-07-28 00:20 UTC
From: msisolak at yahoo dot com Assigned:
Status: Closed Package: COM related
PHP Version: 5.0.0 OS: Windows 2000 Professional
Private report: No CVE-ID:
 [2004-07-26 18:56 UTC] msisolak at yahoo dot com
Description:
------------
Trying to echo a COM object results in crash.

When zend_call_function() is called to lookup "__tostring" in a COM object, it calls into com_method_get().  In turn this calls ITypeComp_Bind to lookup the method.  If the method is not found the result is DESCKIND_NONE, but the switch(kind) statement isn't testing for this.  As a result com_method_get() returns a zend_internal_function with an invalid handler.  The handler is called and PHP crashes.

I came up with this possible code as the response to a DESCKIND_NONE:

case DESCKIND_NONE:
	ITypeComp_Release(comp);
	efree(olename);
	return NULL;

but I'm not too confident about it.  It does stop the crash in my test case, but there may be a better solution.

Reproduce code:
---------------
$c = new COM("ADODB.Connection");
echo $c;


Expected result:
----------------
Either error on trying to echo object with no __toString() method, or nothing.

Actual result:
--------------
The instruction at "0x00e5c208" referenced memory at "0x0000000".  The memory could not be "written".

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-07-27 04:02 UTC] wez@php.net
Fixed in HEAD; thanks for pointing out the error :-)

Actual Fix was:
http://cvs.php.net/diff.php/php-src/ext/com_dotnet/com_handlers.c?r1=1.22&r2=1.23&ty=u

 [2004-07-27 04:40 UTC] wez@php.net
Actually, this broke calling methods that are dynamically added at runtime.

Would you mind trying to debug this a bit more?
It sounds like the crash is somewhere else.
 [2004-07-28 00:20 UTC] wez@php.net
http://cvs.php.net/diff.php/php-src/ext/com_dotnet/com_handlers.c?php=1882e4582b70d2e731287960a38e67e5&r1=1.24&r2=1.25&ty=u

your sample still does not work (but does not crash) because the engine tries to call $c->__toString() and the ADODB object *might* implement that method, but doesn't know until you open the connection.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 09:02:28 2014 UTC