From f649adedfe3f0797cd0d6248e1b01c65b326f443 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 8 Feb 2020 16:56:30 +0100 Subject: [PATCH] Fix #79248: Traversing empty VT_ARRAY throws com_exception If the `VT_ARRAY` is empty, i.e. its upperbound is less than its lower bound, we must not call `php_com_safearray_get_elem()`, because that function throws in this case. --- NEWS | 1 + ext/com_dotnet/com_iterator.c | 2 +- ext/com_dotnet/tests/bug79248.phpt | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ext/com_dotnet/tests/bug79248.phpt diff --git a/NEWS b/NEWS index 86a6be63b4c..398f685bf35 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ PHP NEWS (cmb) . Fixed bug #79242 (COM error constants don't match com_exception codes on x86). (cmb) + . Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception). (cmb) - PCRE: . Fixed bug #79188 (Memory corruption in preg_replace/preg_replace_callback diff --git a/ext/com_dotnet/com_iterator.c b/ext/com_dotnet/com_iterator.c index e0d217b3954..5b731777e0f 100644 --- a/ext/com_dotnet/com_iterator.c +++ b/ext/com_dotnet/com_iterator.c @@ -187,7 +187,7 @@ zend_object_iterator *php_com_iter_get(zend_class_entry *ce, zval *object, int b SafeArrayGetUBound(V_ARRAY(&I->safe_array), 1, &I->sa_max); /* pre-fetch the element */ - if (php_com_safearray_get_elem(&I->safe_array, &I->v, bound)) { + if (I->sa_max >= bound && php_com_safearray_get_elem(&I->safe_array, &I->v, bound)) { I->key = bound; ZVAL_NULL(&ptr); php_com_zval_from_variant(&ptr, &I->v, I->code_page); diff --git a/ext/com_dotnet/tests/bug79248.phpt b/ext/com_dotnet/tests/bug79248.phpt new file mode 100644 index 00000000000..fda67551a79 --- /dev/null +++ b/ext/com_dotnet/tests/bug79248.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #79248 (Traversing empty VT_ARRAY throws com_exception) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +done