|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31636 Type cast is unchecked
Submitted: 2005-01-21 15:25 UTC Modified: 2005-04-18 18:26 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ivar at stvk dot no Assigned: wez
Status: Closed Package: COM related
PHP Version: 5.0.3 OS: Windows XP
Private report: No CVE-ID:
 [2005-01-21 15:25 UTC] ivar at stvk dot no
com_object_cast is at least called by zend_make_printable_zval. In this context, it appears that the contract of the handler is to return a zval with the the specified type. If not able to return the value, it should return FAILURE.

The handler will return a valid zval with wrong type if VariantChangeType fails, or if the requested cast type is not supported.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-23 18:05 UTC] ivar at stvk dot no
There seems to be a misconception in the COM code that a IDispatch variable with VARDESC.wVarFlags = VARFLAG_FDEFAULTBIND is the value to return as the object's default value. Default binding is used as a flag on ActiveX Control Properties to tell which control property that is to be bound to a datasource. This kind of binding may be either a variable (VARDESC) or a function (FUNCDESC).

The code looks like the programmer has intended to fetch the objects default value. This value is by OLE Automation defined as having DISPID = DISPID_VALUE. 

com_write_dimension and com_read_dimension should be rewritten to call php_com_do_invoke_by_id using DISPID_VALUE.

com_object_cast should be rewritten to use VariantChangeType directly to do the cast:

static int com_object_cast(zval *readobj, zval *writeobj, int type, int should_free TSRMLS_DC)
	php_com_dotnet_object *obj;
	int ret;

	if (should_free) {


	obj = CDNO_FETCH(readobj);

	switch(type) {
		case IS_LONG:
			vt = VT_INT;
		case IS_DOUBLE:
			vt = VT_R8;
		case IS_BOOL:
			vt = VT_BOOL;
		case IS_STRING:
			vt = VT_BSTR;
			return FAILURE;

	if (FAILED(hr=VariantChangeType(&v, &obj->v, 0, vt))) {
		return FAILURE;

	ret = php_com_zval_from_variant(writeobj, &v, obj->code_page TSRMLS_CC);
	return ret;

This also makes com_object_cast to obey the rule of returning FAILURE if it is unable to return the required zval type.
 [2005-01-26 11:15 UTC]
Wez, could you have a look?
 [2005-02-06 04:01 UTC] fsleng at supmano dot sk
This seems to be related to Bug#29583 (com_dotnet crashes when trying to strlen).
 [2005-04-18 18:26 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Nov 27 10:01:43 2015 UTC