1 /*
2    +----------------------------------------------------------------------+
3    | Copyright (c) The PHP Group                                          |
4    +----------------------------------------------------------------------+
5    | This source file is subject to version 3.01 of the PHP license,      |
6    | that is bundled with this package in the file LICENSE, and is        |
7    | available through the world-wide-web at the following url:           |
8    | https://www.php.net/license/3_01.txt                                 |
9    | If you did not receive a copy of the PHP license and are unable to   |
10    | obtain it through the world-wide-web, please send a note to          |
11    | license@php.net so we can mail you a copy immediately.               |
12    +----------------------------------------------------------------------+
13    | Author: Wez Furlong  <wez@thebrainroom.com>                          |
14    +----------------------------------------------------------------------+
15  */
16 
17 #ifdef HAVE_CONFIG_H
18 #include "config.h"
19 #endif
20 
21 #include "php.h"
22 #include "php_ini.h"
23 #include "ext/standard/info.h"
24 #include "php_com_dotnet.h"
25 #include "php_com_dotnet_internal.h"
26 #include "Zend/zend_exceptions.h"
27 
com_property_read(zend_object * object,zend_string * member,int type,void ** cache_slot,zval * rv)28 static zval *com_property_read(zend_object *object, zend_string *member, int type, void **cache_slot, zval *rv)
29 {
30 	php_com_dotnet_object *obj;
31 	VARIANT v;
32 	HRESULT res;
33 
34 	ZVAL_NULL(rv);
35 
36 	obj = (php_com_dotnet_object*) object;
37 
38 	if (V_VT(&obj->v) == VT_DISPATCH) {
39 		VariantInit(&v);
40 
41 		res = php_com_do_invoke(obj, ZSTR_VAL(member), ZSTR_LEN(member),
42 				DISPATCH_METHOD|DISPATCH_PROPERTYGET, &v, 0, NULL, 1);
43 
44 		if (res == SUCCESS) {
45 			php_com_zval_from_variant(rv, &v, obj->code_page);
46 			VariantClear(&v);
47 		} else if (res == DISP_E_BADPARAMCOUNT) {
48 			zval zv;
49 
50 			ZVAL_STR(&zv, member);
51 			php_com_saproxy_create(object, rv, &zv);
52 		}
53 	} else {
54 		php_com_throw_exception(E_INVALIDARG, "this variant has no properties");
55 	}
56 
57 	return rv;
58 }
59 
com_property_write(zend_object * object,zend_string * member,zval * value,void ** cache_slot)60 static zval *com_property_write(zend_object *object, zend_string *member, zval *value, void **cache_slot)
61 {
62 	php_com_dotnet_object *obj;
63 	VARIANT v;
64 
65 	obj = (php_com_dotnet_object*) object;
66 
67 	if (V_VT(&obj->v) == VT_DISPATCH) {
68 		VariantInit(&v);
69 
70 		if (SUCCESS == php_com_do_invoke(obj, ZSTR_VAL(member), ZSTR_LEN(member),
71 				DISPATCH_PROPERTYPUT|DISPATCH_PROPERTYPUTREF, &v, 1, value, 0)) {
72 			VariantClear(&v);
73 		}
74 	} else {
75 		php_com_throw_exception(E_INVALIDARG, "this variant has no properties");
76 	}
77 	return value;
78 }
79 
com_read_dimension(zend_object * object,zval * offset,int type,zval * rv)80 static zval *com_read_dimension(zend_object *object, zval *offset, int type, zval *rv)
81 {
82 	php_com_dotnet_object *obj;
83 	VARIANT v;
84 
85 	ZVAL_NULL(rv);
86 
87 	obj = (php_com_dotnet_object*) object;
88 
89 	if (V_VT(&obj->v) == VT_DISPATCH) {
90 		VariantInit(&v);
91 
92 		if (SUCCESS == php_com_do_invoke_by_id(obj, DISPID_VALUE,
93 				DISPATCH_METHOD|DISPATCH_PROPERTYGET, &v, 1, offset, 0, 0)) {
94 			php_com_zval_from_variant(rv, &v, obj->code_page);
95 			VariantClear(&v);
96 		}
97 	} else if (V_ISARRAY(&obj->v)) {
98 		convert_to_long(offset);
99 
100 		if (SafeArrayGetDim(V_ARRAY(&obj->v)) == 1) {
101 			if (php_com_safearray_get_elem(&obj->v, &v, (LONG)Z_LVAL_P(offset))) {
102 				php_com_wrap_variant(rv, &v, obj->code_page);
103 				VariantClear(&v);
104 			}
105 		} else {
106 			php_com_saproxy_create(object, rv, offset);
107 		}
108 
109 	} else {
110 		php_com_throw_exception(E_INVALIDARG, "this variant is not an array type");
111 	}
112 
113 	return rv;
114 }
115 
com_write_dimension(zend_object * object,zval * offset,zval * value)116 static void com_write_dimension(zend_object *object, zval *offset, zval *value)
117 {
118 	php_com_dotnet_object *obj;
119 	zval args[2];
120 	VARIANT v;
121 	HRESULT res;
122 
123 	obj = (php_com_dotnet_object*) object;
124 
125 	if (offset == NULL) {
126 		php_com_throw_exception(DISP_E_BADINDEX, "appending to variants is not supported");
127 		return;
128 	}
129 
130 	if (V_VT(&obj->v) == VT_DISPATCH) {
131 		ZVAL_COPY_VALUE(&args[0], offset);
132 		ZVAL_COPY_VALUE(&args[1], value);
133 
134 		VariantInit(&v);
135 
136 		if (SUCCESS == php_com_do_invoke_by_id(obj, DISPID_VALUE,
137 				DISPATCH_METHOD|DISPATCH_PROPERTYPUT, &v, 2, args, 0, 0)) {
138 			VariantClear(&v);
139 		}
140 	} else if (V_ISARRAY(&obj->v)) {
141 		LONG indices = 0;
142 		VARTYPE vt;
143 
144 		if (SafeArrayGetDim(V_ARRAY(&obj->v)) == 1) {
145 			if (FAILED(SafeArrayGetVartype(V_ARRAY(&obj->v), &vt)) || vt == VT_EMPTY) {
146 				vt = V_VT(&obj->v) & ~VT_ARRAY;
147 			}
148 
149 			convert_to_long(offset);
150 			indices = (LONG)Z_LVAL_P(offset);
151 
152 			VariantInit(&v);
153 			php_com_variant_from_zval(&v, value, obj->code_page);
154 
155 			if (V_VT(&v) != vt) {
156 				VariantChangeType(&v, &v, 0, vt);
157 			}
158 
159 			if (vt == VT_VARIANT) {
160 				res = SafeArrayPutElement(V_ARRAY(&obj->v), &indices, &v);
161 			} else {
162 				res = SafeArrayPutElement(V_ARRAY(&obj->v), &indices, &v.lVal);
163 			}
164 
165 			VariantClear(&v);
166 
167 			if (FAILED(res)) {
168 				php_com_throw_exception(res, NULL);
169 			}
170 
171 		} else {
172 			php_com_throw_exception(DISP_E_BADINDEX, "this variant has multiple dimensions; you can't set a new value without specifying *all* dimensions");
173 		}
174 
175 	} else {
176 		php_com_throw_exception(E_INVALIDARG, "this variant is not an array type");
177 	}
178 }
179 
com_get_property_ptr_ptr(zend_object * object,zend_string * member,int type,void ** cache_slot)180 static zval *com_get_property_ptr_ptr(zend_object *object, zend_string *member, int type, void **cache_slot)
181 {
182 	return NULL;
183 }
184 
com_property_exists(zend_object * object,zend_string * member,int check_empty,void ** cache_slot)185 static int com_property_exists(zend_object *object, zend_string *member, int check_empty, void **cache_slot)
186 {
187 	DISPID dispid;
188 	php_com_dotnet_object *obj;
189 
190 	obj = (php_com_dotnet_object*) object;
191 
192 	if (V_VT(&obj->v) == VT_DISPATCH) {
193 		if (SUCCEEDED(php_com_get_id_of_name(obj, ZSTR_VAL(member), ZSTR_LEN(member), &dispid))) {
194 			/* TODO: distinguish between property and method! */
195 			return 1;
196 		}
197 	} else {
198 		/* TODO: check for safearray */
199 	}
200 
201 	return 0;
202 }
203 
com_dimension_exists(zend_object * object,zval * member,int check_empty)204 static int com_dimension_exists(zend_object *object, zval *member, int check_empty)
205 {
206 	/* TODO Add support */
207 	zend_throw_error(NULL, "Cannot check dimension on a COM object");
208 	return 0;
209 }
210 
com_property_delete(zend_object * object,zend_string * member,void ** cache_slot)211 static void com_property_delete(zend_object *object, zend_string *member, void **cache_slot)
212 {
213 	zend_throw_error(NULL, "Cannot delete properties from a COM object");
214 }
215 
com_dimension_delete(zend_object * object,zval * offset)216 static void com_dimension_delete(zend_object *object, zval *offset)
217 {
218 	zend_throw_error(NULL, "Cannot delete dimension from a COM object");
219 }
220 
com_properties_get(zend_object * object)221 static HashTable *com_properties_get(zend_object *object)
222 {
223 	/* TODO: use type-info to get all the names and values ?
224 	 * DANGER: if we do that, there is a strong possibility for
225 	 * infinite recursion when the hash is displayed via var_dump().
226 	 * Perhaps it is best to leave it un-implemented.
227 	 */
228 	return (HashTable *) &zend_empty_array;
229 }
230 
com_get_gc(zend_object * object,zval ** table,int * n)231 static HashTable *com_get_gc(zend_object *object, zval **table, int *n)
232 {
233 	*table = NULL;
234 	*n = 0;
235 	return NULL;
236 }
237 
function_dtor(zval * zv)238 static void function_dtor(zval *zv)
239 {
240 	zend_internal_function *f = (zend_internal_function*)Z_PTR_P(zv);
241 
242 	zend_string_release_ex(f->function_name, 0);
243 	if (f->arg_info) {
244 		efree(f->arg_info);
245 	}
246 	efree(f);
247 }
248 
PHP_FUNCTION(com_method_handler)249 static PHP_FUNCTION(com_method_handler)
250 {
251 	zval *object = getThis();
252 	zend_string *method = EX(func)->common.function_name;
253 	zval *args = NULL;
254 	php_com_dotnet_object *obj = CDNO_FETCH(object);
255 	int nargs;
256 	VARIANT v;
257 	int ret = FAILURE;
258 
259 	if (V_VT(&obj->v) != VT_DISPATCH) {
260 		goto exit;
261 	}
262 
263 	nargs = ZEND_NUM_ARGS();
264 
265 	if (nargs) {
266 		args = (zval *)safe_emalloc(sizeof(zval), nargs, 0);
267 		zend_get_parameters_array_ex(nargs, args);
268 	}
269 
270 	VariantInit(&v);
271 
272 	if (SUCCESS == php_com_do_invoke_byref(obj, (zend_internal_function*)EX(func), DISPATCH_METHOD|DISPATCH_PROPERTYGET, &v, nargs, args)) {
273 		php_com_zval_from_variant(return_value, &v, obj->code_page);
274 		ret = SUCCESS;
275 		VariantClear(&v);
276 	}
277 
278 	if (args) {
279 		efree(args);
280 	}
281 
282 exit:
283 	/* Cleanup trampoline */
284 	ZEND_ASSERT(EX(func)->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE);
285 	zend_string_release(EX(func)->common.function_name);
286 	zend_free_trampoline(EX(func));
287 	EX(func) = NULL;
288 }
289 
com_method_get(zend_object ** object_ptr,zend_string * name,const zval * key)290 static zend_function *com_method_get(zend_object **object_ptr, zend_string *name, const zval *key)
291 {
292 	zend_internal_function f, *fptr = NULL;
293 	zend_function *func;
294 	DISPID dummy;
295 	php_com_dotnet_object *obj = (php_com_dotnet_object*)*object_ptr;
296 
297 	if (V_VT(&obj->v) != VT_DISPATCH) {
298 		return NULL;
299 	}
300 
301 	if (FAILED(php_com_get_id_of_name(obj, name->val, name->len, &dummy))) {
302 		return NULL;
303 	}
304 
305 	/* check cache */
306 	if (obj->method_cache == NULL || NULL == (fptr = zend_hash_find_ptr(obj->method_cache, name))) {
307 		memset(&f, 0, sizeof(zend_internal_function));
308 		f.type = ZEND_INTERNAL_FUNCTION;
309 		f.num_args = 0;
310 		f.arg_info = NULL;
311 		f.scope = obj->ce;
312 		f.fn_flags = ZEND_ACC_CALL_VIA_HANDLER;
313 		f.function_name = zend_string_copy(name);
314 		f.handler = PHP_FN(com_method_handler);
315 
316 		fptr = &f;
317 
318 		if (obj->typeinfo) {
319 			/* look for byref params */
320 			ITypeComp *comp;
321 			ITypeInfo *TI = NULL;
322 			DESCKIND kind;
323 			BINDPTR bindptr;
324 			OLECHAR *olename;
325 			ULONG lhash;
326 			int i;
327 
328 			if (SUCCEEDED(ITypeInfo_GetTypeComp(obj->typeinfo, &comp))) {
329 				olename = php_com_string_to_olestring(name->val, name->len, obj->code_page);
330 				lhash = LHashValOfNameSys(SYS_WIN32, LOCALE_SYSTEM_DEFAULT, olename);
331 
332 				if (SUCCEEDED(ITypeComp_Bind(comp, olename, lhash, INVOKE_FUNC, &TI, &kind, &bindptr))) {
333 					switch (kind) {
334 						case DESCKIND_FUNCDESC:
335 							f.arg_info = ecalloc(bindptr.lpfuncdesc->cParams, sizeof(zend_arg_info));
336 
337 							for (i = 0; i < bindptr.lpfuncdesc->cParams; i++) {
338 								bool by_ref = (bindptr.lpfuncdesc->lprgelemdescParam[i].paramdesc.wParamFlags & PARAMFLAG_FOUT) != 0;
339 								f.arg_info[i].type = (zend_type) ZEND_TYPE_INIT_NONE(_ZEND_ARG_INFO_FLAGS(by_ref, 0, 0));
340 							}
341 
342 							f.num_args = bindptr.lpfuncdesc->cParams;
343 
344 							ITypeInfo_ReleaseFuncDesc(TI, bindptr.lpfuncdesc);
345 							break;
346 
347 							/* these should not happen, but *might* happen if the user
348 							 * screws up; lets avoid a leak in that case */
349 						case DESCKIND_VARDESC:
350 							ITypeInfo_ReleaseVarDesc(TI, bindptr.lpvardesc);
351 							break;
352 						case DESCKIND_TYPECOMP:
353 							ITypeComp_Release(bindptr.lptcomp);
354 							break;
355 
356 						case DESCKIND_NONE:
357 							break;
358 					}
359 					if (TI) {
360 						ITypeInfo_Release(TI);
361 					}
362 				}
363 				ITypeComp_Release(comp);
364 				efree(olename);
365 			}
366 		}
367 
368 		zend_set_function_arg_flags((zend_function*)&f);
369 		/* save this method in the cache */
370 		if (!obj->method_cache) {
371 			ALLOC_HASHTABLE(obj->method_cache);
372 			zend_hash_init(obj->method_cache, 2, NULL, function_dtor, 0);
373 		}
374 
375 		zend_hash_update_mem(obj->method_cache, name, &f, sizeof(f));
376 	}
377 
378 	if (fptr) {
379 		/* duplicate this into a new chunk of emalloc'd memory,
380 		 * since the engine will efree it */
381 		zend_string_addref(fptr->function_name);
382 		func = emalloc(sizeof(*fptr));
383 		memcpy(func, fptr, sizeof(*fptr));
384 
385 		return func;
386 	}
387 
388 	return NULL;
389 }
390 
com_class_name_get(const zend_object * object)391 static zend_string* com_class_name_get(const zend_object *object)
392 {
393 	php_com_dotnet_object *obj = (php_com_dotnet_object *)object;
394 
395 	return zend_string_copy(obj->ce->name);
396 }
397 
398 /* This compares two variants for equality */
com_objects_compare(zval * object1,zval * object2)399 static int com_objects_compare(zval *object1, zval *object2)
400 {
401 	php_com_dotnet_object *obja, *objb;
402 	int ret;
403 	/* strange header bug problem here... the headers define the proto without the
404 	 * flags parameter.  However, the MSDN docs state that there is a flags parameter,
405 	 * and my VC6 won't link unless the code uses the version with 4 parameters.
406 	 * So, we have this declaration here to fix it */
407 	STDAPI VarCmp(LPVARIANT pvarLeft, LPVARIANT pvarRight, LCID lcid, DWORD flags);
408 
409 	ZEND_COMPARE_OBJECTS_FALLBACK(object1, object2);
410 
411 	obja = CDNO_FETCH(object1);
412 	objb = CDNO_FETCH(object2);
413 
414 	switch (VarCmp(&obja->v, &objb->v, LOCALE_SYSTEM_DEFAULT, 0)) {
415 		case VARCMP_LT:
416 			ret = -1;
417 			break;
418 		case VARCMP_GT:
419 			ret = 1;
420 			break;
421 		case VARCMP_EQ:
422 			ret = 0;
423 			break;
424 		default:
425 			/* either or both operands are NULL...
426 			 * not 100% sure how to handle this */
427 			ret = -2;
428 	}
429 
430 	return ret;
431 }
432 
com_object_cast(zend_object * readobj,zval * writeobj,int type)433 static int com_object_cast(zend_object *readobj, zval *writeobj, int type)
434 {
435 	php_com_dotnet_object *obj;
436 	VARIANT v;
437 	VARTYPE vt = VT_EMPTY;
438 	HRESULT res = S_OK;
439 
440 	obj = (php_com_dotnet_object*) readobj;
441 	ZVAL_NULL(writeobj);
442 	VariantInit(&v);
443 
444 	if (V_VT(&obj->v) == VT_DISPATCH) {
445 		if (SUCCESS != php_com_do_invoke_by_id(obj, DISPID_VALUE,
446 				DISPATCH_METHOD|DISPATCH_PROPERTYGET, &v, 0, NULL, 1, 0)) {
447 			VariantCopy(&v, &obj->v);
448 		}
449 	} else {
450 		VariantCopy(&v, &obj->v);
451 	}
452 
453 	switch(type) {
454 		case IS_LONG:
455 		case _IS_NUMBER:
456 			vt = VT_INT;
457 			break;
458 		case IS_DOUBLE:
459 			vt = VT_R8;
460 			break;
461 		case IS_FALSE:
462 		case IS_TRUE:
463 		case _IS_BOOL:
464 			vt = VT_BOOL;
465 			break;
466 		case IS_STRING:
467 			vt = VT_BSTR;
468 			break;
469 		default:
470 			;
471 	}
472 
473 	if (vt != VT_EMPTY && vt != V_VT(&v)) {
474 		res = VariantChangeType(&v, &v, 0, vt);
475 	}
476 
477 	if (SUCCEEDED(res)) {
478 		php_com_zval_from_variant(writeobj, &v, obj->code_page);
479 	}
480 
481 	VariantClear(&v);
482 
483 	if (SUCCEEDED(res)) {
484 		return SUCCESS;
485 	}
486 
487 	return zend_std_cast_object_tostring(readobj, writeobj, type);
488 }
489 
com_object_count(zend_object * object,zend_long * count)490 static int com_object_count(zend_object *object, zend_long *count)
491 {
492 	php_com_dotnet_object *obj;
493 	LONG ubound = 0, lbound = 0;
494 
495 	obj = (php_com_dotnet_object*) object;
496 
497 	if (!V_ISARRAY(&obj->v)) {
498 		return FAILURE;
499 	}
500 
501 	SafeArrayGetLBound(V_ARRAY(&obj->v), 1, &lbound);
502 	SafeArrayGetUBound(V_ARRAY(&obj->v), 1, &ubound);
503 
504 	*count = ubound - lbound + 1;
505 
506 	return SUCCESS;
507 }
508 
509 zend_object_handlers php_com_object_handlers = {
510 	0,
511 	php_com_object_free_storage,
512 	zend_objects_destroy_object,
513 	php_com_object_clone,
514 	com_property_read,
515 	com_property_write,
516 	com_read_dimension,
517 	com_write_dimension,
518 	com_get_property_ptr_ptr,
519 	com_property_exists,
520 	com_property_delete,
521 	com_dimension_exists,
522 	com_dimension_delete,
523 	com_properties_get,
524 	com_method_get,
525 	zend_std_get_constructor,
526 	com_class_name_get,
527 	com_object_cast,
528 	com_object_count,
529 	NULL,									/* get_debug_info */
530 	NULL,									/* get_closure */
531 	com_get_gc,								/* get_gc */
532 	NULL,									/* do_operation */
533 	com_objects_compare,					/* compare */
534 	NULL,									/* get_properties_for */
535 };
536 
php_com_object_enable_event_sink(php_com_dotnet_object * obj,int enable)537 void php_com_object_enable_event_sink(php_com_dotnet_object *obj, int enable)
538 {
539 	if (obj->sink_dispatch) {
540 		IConnectionPointContainer *cont;
541 		IConnectionPoint *point;
542 
543 		if (SUCCEEDED(IDispatch_QueryInterface(V_DISPATCH(&obj->v),
544 				&IID_IConnectionPointContainer, (void**)&cont))) {
545 
546 			if (SUCCEEDED(IConnectionPointContainer_FindConnectionPoint(cont,
547 					&obj->sink_id, &point))) {
548 
549 				if (enable) {
550 					IConnectionPoint_Advise(point, (IUnknown*)obj->sink_dispatch, &obj->sink_cookie);
551 				} else {
552 					IConnectionPoint_Unadvise(point, obj->sink_cookie);
553 				}
554 				IConnectionPoint_Release(point);
555 			}
556 			IConnectionPointContainer_Release(cont);
557 		}
558 	}
559 }
560 
php_com_object_free_storage(zend_object * object)561 void php_com_object_free_storage(zend_object *object)
562 {
563 	php_com_dotnet_object *obj = (php_com_dotnet_object*)object;
564 
565 	if (obj->typeinfo) {
566 		ITypeInfo_Release(obj->typeinfo);
567 		obj->typeinfo = NULL;
568 	}
569 
570 	if (obj->sink_dispatch) {
571 		php_com_object_enable_event_sink(obj, FALSE);
572 		IDispatch_Release(obj->sink_dispatch);
573 		obj->sink_dispatch = NULL;
574 	}
575 
576 	VariantClear(&obj->v);
577 
578 	if (obj->method_cache) {
579 		zend_hash_destroy(obj->method_cache);
580 		FREE_HASHTABLE(obj->method_cache);
581 	}
582 	if (obj->id_of_name_cache) {
583 		zend_hash_destroy(obj->id_of_name_cache);
584 		FREE_HASHTABLE(obj->id_of_name_cache);
585 	}
586 
587 	zend_object_std_dtor(object);
588 }
589 
php_com_object_clone(zend_object * object)590 zend_object* php_com_object_clone(zend_object *object)
591 {
592 	php_com_dotnet_object *cloneobj, *origobject;
593 
594 	origobject = (php_com_dotnet_object*) object;
595 	cloneobj = (php_com_dotnet_object*)emalloc(sizeof(php_com_dotnet_object));
596 
597 	memcpy(cloneobj, origobject, sizeof(*cloneobj));
598 
599 	/* VariantCopy will perform VariantClear; we don't want to clobber
600 	 * the IDispatch that we memcpy'd, so we init a new variant in the
601 	 * clone structure */
602 	VariantInit(&cloneobj->v);
603 	/* We use the Indirection-following version of the API since we
604 	 * want to clone as much as possible */
605 	VariantCopyInd(&cloneobj->v, &origobject->v);
606 
607 	if (cloneobj->typeinfo) {
608 		ITypeInfo_AddRef(cloneobj->typeinfo);
609 	}
610 
611 	return (zend_object*)cloneobj;
612 }
613 
php_com_object_new(zend_class_entry * ce)614 zend_object* php_com_object_new(zend_class_entry *ce)
615 {
616 	php_com_dotnet_object *obj;
617 
618 	php_com_initialize();
619 	obj = emalloc(sizeof(*obj));
620 	memset(obj, 0, sizeof(*obj));
621 
622 	VariantInit(&obj->v);
623 	obj->code_page = CP_ACP;
624 	obj->ce = ce;
625 
626 	zend_object_std_init(&obj->zo, ce);
627 	obj->zo.handlers = &php_com_object_handlers;
628 
629 	obj->typeinfo = NULL;
630 
631 	return (zend_object*)obj;
632 }
633