From 7424bfc7ac772687a681e42081ea0d8943f0d85e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 22 Oct 2020 17:50:22 +0200 Subject: Fix #62474: com_event_sink crashes on certain arguments We have to make sure that the variant is of type `VT_DISPATCH` before we access it as such. Closes GH-6372. --- NEWS | 3 +++ ext/com_dotnet/com_typeinfo.c | 44 +++++++++++++++++++++----------------- ext/com_dotnet/tests/bug62474.phpt | 14 ++++++++++++ 3 files changed, 41 insertions(+), 20 deletions(-) create mode 100644 ext/com_dotnet/tests/bug62474.phpt diff --git a/NEWS b/NEWS index 1b5f8ee8dd..8a1ea004e0 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,9 @@ PHP NEWS . Fixed bug #80258 (Windows Deduplication Enabled, randon permission errors). (cmb) +- COM: + . Fixed bug #62474 (com_event_sink crashes on certain arguments). (cmb) + - IMAP: . Fixed bug #64076 (imap_sort() does not return FALSE on failure). (cmb) . Fixed bug #76618 (segfault on imap_reopen). (girgias) diff --git a/ext/com_dotnet/com_typeinfo.c b/ext/com_dotnet/com_typeinfo.c index 794922d938..5d9408564a 100644 --- a/ext/com_dotnet/com_typeinfo.c +++ b/ext/com_dotnet/com_typeinfo.c @@ -267,18 +267,20 @@ ITypeInfo *php_com_locate_typeinfo(char *typelibname, php_com_dotnet_object *obj if (obj) { if (dispname == NULL && sink) { - IProvideClassInfo2 *pci2; - IProvideClassInfo *pci; + if (V_VT(&obj->v) == VT_DISPATCH) { + IProvideClassInfo2 *pci2; + IProvideClassInfo *pci; - if (SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo2, (void**)&pci2))) { - gotguid = SUCCEEDED(IProvideClassInfo2_GetGUID(pci2, GUIDKIND_DEFAULT_SOURCE_DISP_IID, &iid)); - IProvideClassInfo2_Release(pci2); - } - if (!gotguid && SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo, (void**)&pci))) { - /* examine the available interfaces */ - /* TODO: write some code here */ - php_error_docref(NULL, E_WARNING, "IProvideClassInfo: this code not yet written!"); - IProvideClassInfo_Release(pci); + if (SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo2, (void**)&pci2))) { + gotguid = SUCCEEDED(IProvideClassInfo2_GetGUID(pci2, GUIDKIND_DEFAULT_SOURCE_DISP_IID, &iid)); + IProvideClassInfo2_Release(pci2); + } + if (!gotguid && SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo, (void**)&pci))) { + /* examine the available interfaces */ + /* TODO: write some code here */ + php_error_docref(NULL, E_WARNING, "IProvideClassInfo: this code not yet written!"); + IProvideClassInfo_Release(pci); + } } } else if (dispname == NULL) { if (obj->typeinfo) { @@ -295,15 +297,17 @@ ITypeInfo *php_com_locate_typeinfo(char *typelibname, php_com_dotnet_object *obj /* get the library from the object; the rest will be dealt with later */ ITypeInfo_GetContainingTypeLib(obj->typeinfo, &typelib, &idx); } else if (typelibname == NULL) { - IDispatch_GetTypeInfo(V_DISPATCH(&obj->v), 0, LANG_NEUTRAL, &typeinfo); - if (dispname) { - unsigned int idx; - /* get the library from the object; the rest will be dealt with later */ - ITypeInfo_GetContainingTypeLib(typeinfo, &typelib, &idx); - - if (typelib) { - ITypeInfo_Release(typeinfo); - typeinfo = NULL; + if (V_VT(&obj->v) == VT_DISPATCH) { + IDispatch_GetTypeInfo(V_DISPATCH(&obj->v), 0, LANG_NEUTRAL, &typeinfo); + if (dispname) { + unsigned int idx; + /* get the library from the object; the rest will be dealt with later */ + ITypeInfo_GetContainingTypeLib(typeinfo, &typelib, &idx); + + if (typelib) { + ITypeInfo_Release(typeinfo); + typeinfo = NULL; + } } } } diff --git a/ext/com_dotnet/tests/bug62474.phpt b/ext/com_dotnet/tests/bug62474.phpt new file mode 100644 index 0000000000..cc8e252224 --- /dev/null +++ b/ext/com_dotnet/tests/bug62474.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #62474 (com_event_sink crashes on certain arguments) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false) +bool(false) -- cgit v1.2.1