|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62474 com_event_sink crashes when closure object given as an argument
Submitted: 2012-07-03 20:18 UTC Modified: 2020-10-22 16:12 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: deadb17ch at gmail dot com Assigned: cmb (profile)
Status: Closed Package: COM related
PHP Version: 7.3 OS: Windows XP SP3
Private report: No CVE-ID: None
 [2012-07-03 20:18 UTC] deadb17ch at gmail dot com
com_event_sink() crashes when closure object (anonymouse function) is given as the 
second argument...

Test script:

$__evil = function() { };

	/* variant */	new Variant(),
	/* object  */	$__evil,			// oink!
	/* mixed   */	array()


Expected result:
nothing happends or an information about error (or maybe argument type mismatch) 

Actual result:

eax=00000000 ebx=010328f0 ecx=00000000 edx=00000001 esi=0121e438 edi=00000000
eip=100f33c8 esp=00c0fa50 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
C:\xampp\php\php5ts.dll - 
100f33c8 8b08            mov     ecx,dword ptr [eax]  ds:0023:00000000=???????? 


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-26 13:32 UTC] fb1h2s at gmail dot com
It's possible to achieve code execution using this bug. 

$_evil_object = new VARIANT(0x41414141);
 [2012-07-26 13:43 UTC] deadb17ch at gmail dot com
I know. I have send an advisory about possible code execution  in com_event_sink()  
function using VARIANT object to bugtraq some time ago (21 May) :

but this time it is about bug in second argument, not first.
 [2012-07-27 20:43 UTC] fb1h2s at gmail dot com
Oh yea my mistake I was referring to arg 1 crash, dint see a Bug Id open for that here though.


$buffer = str_repeat("A", 1000);

$vVar = new VARIANT(0x41414141); // We controll this
$vVar2 = new VARIANT(0x41414141); // 

com_event_sink($vVar, $vVar2 , $buffer );

 [2012-09-11 14:08 UTC] fb1h2s at gmail dot com
A reliable way to get coded execution
394/ using this bug.
 [2020-10-22 16:12 UTC]
-Status: Open +Status: Verified -PHP Version: 5.4.4 +PHP Version: 7.3 -Assigned To: +Assigned To: cmb
 [2020-10-22 16:12 UTC]
Unlikely to be remotely exploitable, but still a bug.
 [2020-10-23 11:45 UTC]
The following pull request has been associated:

Patch Name: Fix #62474: com_event_sink crashes on certain arguments
On GitHub:
 [2020-10-26 10:56 UTC]
Automatic comment on behalf of
Log: Fix #62474: com_event_sink crashes on certain arguments
 [2020-10-26 10:56 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 08:01:31 2024 UTC