|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37975 PHP crashes in certain error scenarios
Submitted: 2006-06-30 16:21 UTC Modified: 2006-07-24 19:09 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: cosborne at gmail dot com Assigned:
Status: Closed Package: COM related
PHP Version: 5.1.4 OS: Windows XP/2K3
Private report: No CVE-ID: None
 [2006-06-30 16:21 UTC] cosborne at gmail dot com
In certain error scenarios, PHP crashes with an access violation instead of reporting the error.

I have so far only identified one specific error that causes the crash, but there may well be others.

Reproduce code:
$wmiLocator = new COM("WbemScripting.SWbemLocator");
$wmi = $wmiLocator->ConnectServer(".","root/MicrosoftDNS");
$a_rr = $wmi->Get("MicrosoftDNS_AType");
$a_rr->CreateInstanceFromTextRepresentation("","","[*already existent domain name*] IN A");

Expected result:
As indicated in the code, the crash only occurs when attempting to create a domain record that already exists in the DNS server.

The functionally equivalent VBScript code reports a "Generic failure" when the record already exists on the server.

Actual result:
Access Violation

Stack backtrace:
002cf97c 5a0759f4 OLEAUT32!SysFreeString+0x45
002cf994 5a072278 wbemdisp!SetException+0x1b
002cf9cc 5a07afd9 wbemdisp!CWbemDispatchMgr::Invoke+0x116
*** WARNING: Unable to verify checksum for php5ts.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for php5ts.dll - 
002cf9f8 100e49ec wbemdisp!CSWbemObject::Invoke+0x2f
WARNING: Stack unwind information not available. Following frames may be wrong.
01e791c8 7373656c php5ts!realpath+0x6c1c


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-19 16:07 UTC] cosborne at gmail dot com
Having done some investigation into this bug, it would appear that the problem is caused by the fact that the EXCEPINFO structure is not zeroed before being passed to IDispatch_Invoke (ext\com_dotnet\com_com.c:346)

The structure needs to be zeroed before passing to IDispatch_Invoke since the wbemdisp!SetException function calls SysFreeString on the string parameters of the EXCEPINFO structure if they aren't null.
 [2006-07-24 19:09 UTC] cosborne at gmail dot com
Resubmitted as #38198
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 21:01:29 2024 UTC