Fix #62474: com_event_sink crashes on certain arguments

We have to make sure that the variant is of type `VT_DISPATCH` before
we access it as such.

Closes GH-6372.

diff --git a/NEWS b/NEWS
index 1b5f8ee8dd8e0f455526185660cef68b67cb77af..8a1ea004e049c9936e0acdaa7c316fc8a1983735 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@ PHP                                                                        NEWS
   . Fixed bug #80258 (Windows Deduplication Enabled, randon permission errors).
     (cmb)
 
+- COM:
+  . Fixed bug #62474 (com_event_sink crashes on certain arguments). (cmb)
+
 - IMAP:
   . Fixed bug #64076 (imap_sort() does not return FALSE on failure). (cmb)
   . Fixed bug #76618 (segfault on imap_reopen). (girgias)

diff --git a/ext/com_dotnet/com_typeinfo.c b/ext/com_dotnet/com_typeinfo.c
index 794922d9380d7bab990ef025552a7f78b3c80215..5d9408564a145804c171586d5dddf1adcbe4e2d6 100644 (file)
--- a/ext/com_dotnet/com_typeinfo.c
+++ b/ext/com_dotnet/com_typeinfo.c
@@ -267,18 +267,20 @@ ITypeInfo *php_com_locate_typeinfo(char *typelibname, php_com_dotnet_object *obj
 
        if (obj) {
                if (dispname == NULL && sink) {
-                       IProvideClassInfo2 *pci2;
-                       IProvideClassInfo *pci;
+                       if (V_VT(&obj->v) == VT_DISPATCH) {
+                               IProvideClassInfo2 *pci2;
+                               IProvideClassInfo *pci;
 
-                       if (SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo2, (void**)&pci2))) {
-                               gotguid = SUCCEEDED(IProvideClassInfo2_GetGUID(pci2, GUIDKIND_DEFAULT_SOURCE_DISP_IID, &iid));
-                               IProvideClassInfo2_Release(pci2);
-                       }
-                       if (!gotguid && SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo, (void**)&pci))) {
-                               /* examine the available interfaces */
-                               /* TODO: write some code here */
-                               php_error_docref(NULL, E_WARNING, "IProvideClassInfo: this code not yet written!");
-                               IProvideClassInfo_Release(pci);
+                               if (SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo2, (void**)&pci2))) {
+                                       gotguid = SUCCEEDED(IProvideClassInfo2_GetGUID(pci2, GUIDKIND_DEFAULT_SOURCE_DISP_IID, &iid));
+                                       IProvideClassInfo2_Release(pci2);
+                               }
+                               if (!gotguid && SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v), &IID_IProvideClassInfo, (void**)&pci))) {
+                                       /* examine the available interfaces */
+                                       /* TODO: write some code here */
+                                       php_error_docref(NULL, E_WARNING, "IProvideClassInfo: this code not yet written!");
+                                       IProvideClassInfo_Release(pci);
+                               }
                        }
                } else if (dispname == NULL) {
                        if (obj->typeinfo) {
@@ -295,15 +297,17 @@ ITypeInfo *php_com_locate_typeinfo(char *typelibname, php_com_dotnet_object *obj
                        /* get the library from the object; the rest will be dealt with later */
                        ITypeInfo_GetContainingTypeLib(obj->typeinfo, &typelib, &idx);
                } else if (typelibname == NULL) {
-                       IDispatch_GetTypeInfo(V_DISPATCH(&obj->v), 0, LANG_NEUTRAL, &typeinfo);
-                       if (dispname) {
-                               unsigned int idx;
-                               /* get the library from the object; the rest will be dealt with later */
-                               ITypeInfo_GetContainingTypeLib(typeinfo, &typelib, &idx);
-
-                               if (typelib) {
-                                       ITypeInfo_Release(typeinfo);
-                                       typeinfo = NULL;
+                       if (V_VT(&obj->v) == VT_DISPATCH) {
+                               IDispatch_GetTypeInfo(V_DISPATCH(&obj->v), 0, LANG_NEUTRAL, &typeinfo);
+                               if (dispname) {
+                                       unsigned int idx;
+                                       /* get the library from the object; the rest will be dealt with later */
+                                       ITypeInfo_GetContainingTypeLib(typeinfo, &typelib, &idx);
+
+                                       if (typelib) {
+                                               ITypeInfo_Release(typeinfo);
+                                               typeinfo = NULL;
+                                       }
                                }
                        }
                }

diff --git a/ext/com_dotnet/tests/bug62474.phpt b/ext/com_dotnet/tests/bug62474.phpt
new file mode 100644 (file)
index 0000000..cc8e252
--- /dev/null
+++ b/ext/com_dotnet/tests/bug62474.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #62474 (com_event_sink crashes on certain arguments)
+--SKIPIF--
+<?php
+if (!extension_loaded('com_dotnet')) die('skip com_dotnet extension not available');
+?>
+--FILE--
+<?php
+var_dump(com_event_sink(new variant, function() {}, array()));
+var_dump(com_event_sink(new variant, new variant, 'a'));
+?>
+--EXPECT--
+bool(false)
+bool(false)