From 9bae8933a3f4fee78cdd6c9b2f592ab8d62e9cf1 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 29 Nov 2024 15:06:32 +0100 Subject: [PATCH] Fix GH-16991: Getting typeinfo of non DISPATCH variant segfaults We must not assume that any `VARIANT` implements `IDispatch`. Closes GH-16992. --- NEWS | 4 ++++ ext/com_dotnet/com_typeinfo.c | 2 +- ext/com_dotnet/tests/gh16991.phpt | 10 ++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 ext/com_dotnet/tests/gh16991.phpt diff --git a/NEWS b/NEWS index dadbb0241da..eca09704cfc 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ PHP NEWS . Fixed jdtogregorian overflow. (David Carlier) . Fixed cal_to_jd julian_days argument overflow. (David Carlier) +- COM: + . Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults). + (cmb) + - Core: . Fail early in *nix configuration build script. (hakre) . Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm diff --git a/ext/com_dotnet/com_typeinfo.c b/ext/com_dotnet/com_typeinfo.c index ccdcc3ff7e8..e120dc54469 100644 --- a/ext/com_dotnet/com_typeinfo.c +++ b/ext/com_dotnet/com_typeinfo.c @@ -331,7 +331,7 @@ ITypeInfo *php_com_locate_typeinfo(zend_string *type_lib_name, php_com_dotnet_ob if (obj->typeinfo) { ITypeInfo_AddRef(obj->typeinfo); return obj->typeinfo; - } else { + } else if (V_VT(&obj->v) == VT_DISPATCH) { IDispatch_GetTypeInfo(V_DISPATCH(&obj->v), 0, LANG_NEUTRAL, &typeinfo); if (typeinfo) { return typeinfo; diff --git a/ext/com_dotnet/tests/gh16991.phpt b/ext/com_dotnet/tests/gh16991.phpt new file mode 100644 index 00000000000..3623f1f3c4a --- /dev/null +++ b/ext/com_dotnet/tests/gh16991.phpt @@ -0,0 +1,10 @@ +--TEST-- +GH-16991 (Getting typeinfo of non DISPATCH variant segfaults) +--EXTENSIONS-- +com_dotnet +--FILE-- + +--EXPECTF-- +Warning: com_print_typeinfo(): Unable to find typeinfo using the parameters supplied in %s on line %d