php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63208 Wrong conversion of byte array VARIANT which contains null byte to string
Submitted: 2012-10-03 12:40 UTC Modified: 2015-08-16 16:25 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: gopeyx at gmail dot com Assigned:
Status: Analyzed Package: COM related
PHP Version: 5.3.17 OS: Windows NT W-AM-13079 6.1 build
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-10-03 12:40 UTC] gopeyx at gmail dot com
Description:
------------
I have a VARIANT of type 8209 which is an array of bytes (VT_ARRAY | VT_UI1).
This array contains null byte in the middle.

When trying to convert it to a string only bytes before null byte are used. Others are ignored.

But they are present in the object. You can see it if you walk through the bytes of variant via foreach().

Test script:
---------------
<?php

$string = "ab\0cd";

$variant = new VARIANT($string, VT_ARRAY | VT_UI1); // Array of bytes

$converted = (string) $variant;

var_dump($string);
var_dump($converted);


Expected result:
----------------
string(5) "abcd"
string(5) "abcd"

// $converted variable should be equal to the original $string and should contain 5 characters.

Actual result:
--------------
string(5) "abcd"
string(2) "ab"

Patches

olestring-binary-safe (last revision 2015-08-16 16:26 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-11 15:38 UTC] tomas dot var at dtr-sistemas dot com
I have the same problem when I want to extract the value of a LONGBINARY field from an MS-Access or MSSQL Database (OLE Field exactly), and the OLE embeeded header contains some zero bytes. I can obtain only 3 bytes when it converts to a string for save to a file. And when I loop with "foreach" the VARIANT ARRAY of UNSIGNED BYTES it loops correctly (except for the byte '\0' after every valid byte) and if I count the array with "count($field->Value)" for example, it results the double lenght that expects.
Why don't exists in PHP a way to obtain a simple array of bytes for a variable, or access the data like a "string" of bytes?
 [2015-08-16 16:25 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2015-08-16 16:25 UTC] cmb@php.net
The problem is that php_com_olestring_to_string()[1] is not binary
safe, because it passes -1 to the cchWideChar parameter of
WideCharToMultiByte()[2]. That causes WideCharToMultiByte() to
stop at the first null character (actually, two null bytes), and
so the rest of the string is ignored.

As a BSTR[3] has a prefix containing its length in bytes it
appears we could use this to calculate the proper cchWideChar
argument, see the attached patch.

[1] <https://github.com/php/php-src/blob/php-7.0.0beta3/ext/com_dotnet/com_olechar.c#L74>
[2] <https://msdn.microsoft.com/en-us/library/windows/desktop/dd374130(v=vs.85).aspx>
[3] <https://msdn.microsoft.com/en-us/library/windows/desktop/ms221069(v=vs.85).aspx>
 [2015-08-16 16:26 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: olestring-binary-safe
Revision:   1439742362
URL:        https://bugs.php.net/patch-display.php?bug=63208&patch=olestring-binary-safe&revision=1439742362
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 16:01:25 2019 UTC