php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31636 Type cast is unchecked
Submitted: 2005-01-21 15:25 UTC Modified: 2005-04-18 18:26 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ivar at stvk dot no Assigned: wez
Status: Closed Package: COM related
PHP Version: 5.0.3 OS: Windows XP
Private report: No CVE-ID:
 [2005-01-21 15:25 UTC] ivar at stvk dot no
Description:
------------
com_object_cast is at least called by zend_make_printable_zval. In this context, it appears that the contract of the handler is to return a zval with the the specified type. If not able to return the value, it should return FAILURE.

The handler will return a valid zval with wrong type if VariantChangeType fails, or if the requested cast type is not supported.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-23 18:05 UTC] ivar at stvk dot no
There seems to be a misconception in the COM code that a IDispatch variable with VARDESC.wVarFlags = VARFLAG_FDEFAULTBIND is the value to return as the object's default value. Default binding is used as a flag on ActiveX Control Properties to tell which control property that is to be bound to a datasource. This kind of binding may be either a variable (VARDESC) or a function (FUNCDESC).

The code looks like the programmer has intended to fetch the objects default value. This value is by OLE Automation defined as having DISPID = DISPID_VALUE. 

com_write_dimension and com_read_dimension should be rewritten to call php_com_do_invoke_by_id using DISPID_VALUE.

com_object_cast should be rewritten to use VariantChangeType directly to do the cast:

static int com_object_cast(zval *readobj, zval *writeobj, int type, int should_free TSRMLS_DC)
{
	php_com_dotnet_object *obj;
	VARIANT v;
	VARTYPE vt = VT_EMPTY;
	int ret;
	HRESULT hr;

	if (should_free) {
		zval_dtor(writeobj);
	}

	ZVAL_NULL(writeobj);

	obj = CDNO_FETCH(readobj);
	VariantInit(&v);

	switch(type) {
		case IS_LONG:
			vt = VT_INT;
			break;
		case IS_DOUBLE:
			vt = VT_R8;
			break;
		case IS_BOOL:
			vt = VT_BOOL;
			break;
		case IS_STRING:
			vt = VT_BSTR;
			break;
		default:
			return FAILURE;
	}

	if (FAILED(hr=VariantChangeType(&v, &obj->v, 0, vt))) {
		return FAILURE;
	}

	ret = php_com_zval_from_variant(writeobj, &v, obj->code_page TSRMLS_CC);
	VariantClear(&v);
	return ret;
}

This also makes com_object_cast to obey the rule of returning FAILURE if it is unable to return the required zval type.
 [2005-01-26 11:15 UTC] edink@php.net
Wez, could you have a look?
 [2005-02-06 04:01 UTC] fsleng at supmano dot sk
This seems to be related to Bug#29583 (com_dotnet crashes when trying to strlen).
 [2005-04-18 18:26 UTC] wez@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 09:02:29 2014 UTC