MFB: fix heap corruption when adding/caching typelib (also fixes bug 39606)

add test

diff --git a/ext/com_dotnet/com_typeinfo.c b/ext/com_dotnet/com_typeinfo.c
index 004b6de73b38aa9221dac3443d441fecae37b5cd..c4941e03e8d15c92e84d05925dcce6d5df670982 100644 (file)
--- a/ext/com_dotnet/com_typeinfo.c
+++ b/ext/com_dotnet/com_typeinfo.c
@@ -220,8 +220,8 @@ PHPAPI int php_com_import_typelib(ITypeLib *TL, int mode, int codepage TSRMLS_DC
 /* Type-library stuff */
 void php_com_typelibrary_dtor(void *pDest)
 {
-       ITypeLib *Lib = (ITypeLib*)pDest;
-       ITypeLib_Release(Lib);
+       ITypeLib **Lib = (ITypeLib**)pDest;
+       ITypeLib_Release(*Lib);
 }
 
 PHPAPI ITypeLib *php_com_load_typelib_via_cache(char *search_string,
@@ -249,7 +249,7 @@ PHPAPI ITypeLib *php_com_load_typelib_via_cache(char *search_string,
 
        if (TL) {
                if (SUCCESS == zend_ts_hash_update(&php_com_typelibraries,
-                               search_string, l+1, (void*)TL, sizeof(ITypeLib*), NULL)) {
+                               search_string, l+1, (void*)&TL, sizeof(ITypeLib*), NULL)) {
                        /* add a reference for the hash table */
                        ITypeLib_AddRef(TL);
                }

diff --git a/ext/com_dotnet/tests/bug39606.phpt b/ext/com_dotnet/tests/bug39606.phpt
new file mode 100644 (file)
index 0000000..4487c1d
--- /dev/null
+++ b/ext/com_dotnet/tests/bug39606.phpt
@@ -0,0 +1,22 @@
+--TEST--
+COM: Loading typelib corrupts memory
+--SKIPIF--
+<?php # vim:ft=php
+if (!extension_loaded("com_dotnet")) print "skip COM/.Net support not present"; ?>
+--FILE--
+<?php // $Id$
+error_reporting(E_ALL);
+
+$arEnv = array_change_key_case($_SERVER, CASE_UPPER);
+
+$root = dirname($arEnv['COMSPEC']);
+$typelib = $root.'\activeds.tlb';
+
+var_dump(com_load_typelib($typelib));
+var_dump(com_load_typelib($typelib));
+?>
+===DONE===
+--EXPECT--
+bool(true)
+bool(true)
+===DONE===
\ No newline at end of file