Edit report at https://bugs.php.net/bug.php?id=62474&edit=1
ID: 62474
Comment by: fb1h2s at gmail dot com
Reported by: deadb17ch at gmail dot com
Summary: com_event_sink crashes when closure object given as
an argument
Status: Open
Type: Bug
Package: COM related
Operating System: Windows XP SP3
PHP Version: 5.4.4
Block user comment: N
Private report: N
New Comment:
It's possible to achieve code execution using this bug.
$_evil_object = new VARIANT(0x41414141);
Previous Comments:
------------------------------------------------------------------------
[2012-07-03 20:18:20] deadb17ch at gmail dot com
Description:
------------
com_event_sink() crashes when closure object (anonymouse function) is given as
the
second argument...
Test script:
---------------
<?php
$__evil = function() { };
com_event_sink(
/* variant */ new Variant(),
/* object */ $__evil, // oink!
/* mixed */ array()
);
?>
Expected result:
----------------
nothing happends or an information about error (or maybe argument type
mismatch)
occurs
Actual result:
--------------
crash
eax=00000000 ebx=010328f0 ecx=00000000 edx=00000001 esi=0121e438 edi=00000000
eip=100f33c8 esp=00c0fa50 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\xampp\php\php5ts.dll -
php5ts!php_com_load_typelib_via_cache+0x118:
100f33c8 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=????????
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62474&edit=1
