#38198 [NEW]: PHP may crash when COM reports an exception (With fix)

Mon, 24 Jul 2006 12:29:02 -0700 

From:             cosborne at gmail dot com
Operating system: Windows XP/2K3
PHP version:      5.1.4
PHP Bug Type:     COM related
Bug description:  PHP may crash when COM reports an exception (With fix)

Description:
------------
I reported this bug a few weeks ago (#37975), but it's still not been
assigned, despite having added a fix to the report.

IDispatch_Invoke (ext\com_dotnet\com_com.c:346) is passed an uninitialized
EXCEPINFO structure. If an exception occurs, as part of the exception
handling process (wbemdisp!SetException), the string parameters of the
EXCEPINFO structure are checked, and if they are non-zero, SysFreeString
is called on the parameter. Since the passed EXCEPINFO structure is
uninitialized the pointers are invalid and an access violation results.

To fix this bug, the EXCEPINFO structure needs to be zeroed before
IDispatch_Invoke is called.

Reproduce code:
---------------
Whilst this bug could presumably occur at any time due to the "random"
nature of the data that may be contained in the uninitialized structure,
the following code causes an exception on every execution:

$wmiLocator = new COM("WbemScripting.SWbemLocator");
$wmi = $wmiLocator->ConnectServer(".","root/MicrosoftDNS");
$a_rr = $wmi->Get("MicrosoftDNS_AType");
$a_rr->CreateInstanceFromTextRepresentation("","example.com","[*already
existent domain name*] IN A 127.0.0.1");

Expected result:
----------------
The final call should result in a "Generic Failure" com_exception.

Actual result:
--------------
PHP crashes with an access violation.

-- 
Edit bug report at http://bugs.php.net/?id=38198&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=38198&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=38198&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=38198&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38198&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=38198&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38198&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38198&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38198&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38198&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38198&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=38198&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=38198&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38198&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38198&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38198&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38198&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38198&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38198&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38198&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38198&r=mysqlcfg

Reply via email to