From 45a7723267741be4867306d18b15a4a27d67b0f7 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 19 Oct 2019 11:41:28 +0200 Subject: [PATCH] Fix #78694: Appending to a variant array causes segfault `write_dimension` object handlers have to be able to handle `NULL` `offset`s; for now we simply throw an exception instead of following the `NULL` pointer. --- NEWS | 3 +++ ext/com_dotnet/com_handlers.c | 5 +++++ ext/com_dotnet/tests/bug78694.phpt | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 ext/com_dotnet/tests/bug78694.phpt diff --git a/NEWS b/NEWS index 2028649849..d63dd99d6e 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ PHP NEWS . Fixed bug #78656 (Parse errors classified as highest log-level). (Erik Lundin) +- COM: + . Fixed bug #78694 (Appending to a variant array causes segfault). (cmb) + - Date: . Fixed bug #70153 (\DateInterval incorrectly unserialized). (Maksim Iakunin) diff --git a/ext/com_dotnet/com_handlers.c b/ext/com_dotnet/com_handlers.c index 1fc6c04c9a..e7b0aa4bf4 100644 --- a/ext/com_dotnet/com_handlers.c +++ b/ext/com_dotnet/com_handlers.c @@ -127,6 +127,11 @@ static void com_write_dimension(zval *object, zval *offset, zval *value) obj = CDNO_FETCH(object); + if (offset == NULL) { + php_com_throw_exception(DISP_E_BADINDEX, "appending to variants is not supported"); + return; + } + if (V_VT(&obj->v) == VT_DISPATCH) { ZVAL_COPY_VALUE(&args[0], offset); ZVAL_COPY_VALUE(&args[1], value); diff --git a/ext/com_dotnet/tests/bug78694.phpt b/ext/com_dotnet/tests/bug78694.phpt new file mode 100644 index 0000000000..adf0c828ca --- /dev/null +++ b/ext/com_dotnet/tests/bug78694.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #78694 (Appending to a variant array causes segfault) +--SKIPIF-- + +--FILE-- +getMessage()); + } +} +?> +--EXPECT-- +string(38) "appending to variants is not supported" +string(38) "appending to variants is not supported" -- 2.50.0