PHP :: Bug #23122 :: ImageTTFText causes segmentation fault while under Apache

Bug #23122

ImageTTFText causes segmentation fault while under Apache

Submitted:

2003-04-08 19:14 UTC

Modified:

2003-08-20 14:28 UTC

Votes:	8
Avg. Score:	4.9 ± 0.3
Reproduced:	8 of 8 (100.0%)
Same Version:	6 (75.0%)
Same OS:	3 (37.5%)

From:

1413 at blargh dot com

Assigned:

Status:

Closed

Package:

GD related

PHP Version:

4.3.2-RC

OS:

Debian Linux

Private report:

CVE-ID:

None

View Developer Edit

[2003-04-08 19:14 UTC] 1413 at blargh dot com

I have tried this with 4.3.2RC1 and the latest development 
snapshot.   
 
Configure options: 
./configure  --with-apxs --with-zlib --with-bz2 --with-gd 
--enable-gd-native-ttf --with-mysql=/usr --enable-sockets 
--prefix=/usr --with-ttf --enable-ftp --with-jpeg-dir=/usr 
--with-freetype-dir=/usr --enable-debug 
 
The following is the script that triggers the problem: 
 
<? 
 
/* Vertial Label maker */ 
$im = ImageCreate(14,150); 
$cBlack = ImageColorAllocate($im, 0, 0, 0); 
$cWhite = ImageColorAllocate($im, 255, 255, 255); 
$cBlue = ImageColorAllocate($im, 100, 100, 255); 
 
if($lk == 1) 
{ 
  ImageTTFText($im, 10, 90, 11, 150, $cBlue, 
"/var/www/prime/common/arialbd.ttf", $in); 
} else { 
  ImageTTFText($im, 10, 90, 11, 150, $cWhite, 
"/var/www/prime/common/arialbd.ttf", $in); 
} 
 
Header("Content-type: image/png"); 
 
ImagePng($im); 
 
ImageDestroy($im); 
 
?> 
 
This script is called a number of times in a page, with 
(for example): vl.php?lk=0&in=Bonus+30-Mar-2003 
 
Running gdb on apache -X, the crash occurs: 
 
Program received signal SIGSEGV, Segmentation fault. 
0x402b9c13 in fontTest (element=0x31, key=0xbfffd12c) at 
/root/php4-STABLE-200304082130/ext/gd/libgd/gdft.c:349 
349       return (strcmp (a->fontlist, b->fontlist) == 0); 
(gdb) bt 
#0  0x402b9c13 in fontTest (element=0x31, key=0xbfffd12c) 
at /root/php4-STABLE-200304082130/ext/gd/libgd/gdft.c:349 
#1  0x402bbb7e in gdCacheGet (head=0x8129210, 
keydata=0xbfffd12c) at 
/root/php4-STABLE-200304082130/ext/gd/libgd/gdcache.c:104 
#2  0x402bac80 in gdImageStringFTEx (im=0x8118d34, 
brect=0xbfffd2a0, fg=1, fontlist=0x811fd3c 
"/var/www/prime/common/arialbd.ttf", ptsize=10, 
angle=1.5707963267948966, x=11, y=150, string=0x810680c 
"Bonus 30-Mar-2003", 
    strex=0x0) at 
/root/php4-STABLE-200304082130/ext/gd/libgd/gdft.c:825 
#3  0x402baad4 in gdImageStringFT (im=0x8118d34, 
brect=0xbfffd2a0, fg=1, fontlist=0x811fd3c 
"/var/www/prime/common/arialbd.ttf", ptsize=10, 
angle=1.5707963267948966, x=11, y=150, string=0x810680c 
"Bonus 30-Mar-2003") 
    at 
/root/php4-STABLE-200304082130/ext/gd/libgd/gdft.c:767 
#4  0x402a8f7a in php_imagettftext_common (ht=8, 
return_value=0x811fd94, this_ptr=0x0, return_value_used=0, 
mode=0, extended=0) at 
/root/php4-STABLE-200304082130/ext/gd/gd.c:3050 
#5  0x402a8443 in zif_imagettftext (ht=8, 
return_value=0x811fd94, this_ptr=0x0, return_value_used=0) 
at /root/php4-STABLE-200304082130/ext/gd/gd.c:2939 
#6  0x403d2a52 in execute (op_array=0x810cb34) at 
/root/php4-STABLE-200304082130/Zend/zend_execute.c:1606 
#7  0x403bf8e4 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at 
/root/php4-STABLE-200304082130/Zend/zend.c:864 
#8  0x4038465e in php_execute_script 
(primary_file=0xbffff9d8) at 
/root/php4-STABLE-200304082130/main/main.c:1653 
#9  0x403d7fd0 in apache_php_module_main (r=0x8101b2c, 
display_source_mode=0) at 
/root/php4-STABLE-200304082130/sapi/apache/sapi_apache.c:55 
#10 0x403d9080 in send_php (r=0x8101b2c, 
display_source_mode=0, filename=0x8103704 
"/var/www/prime/common/vl.php") at 
/root/php4-STABLE-200304082130/sapi/apache/mod_php4.c:617 
#11 0x403d90ff in send_parsed_php (r=0x8101b2c) at 
/root/php4-STABLE-200304082130/sapi/apache/mod_php4.c:632 
#12 0x08053ab4 in ap_invoke_handler () 
#13 0x0806342c in ap_some_auth_required () 
#14 0x08063488 in ap_process_request () 
#15 0x0805cc6b in ap_child_terminate () 
#16 0x0805cdfc in ap_child_terminate () 
#17 0x0805cf19 in ap_child_terminate () 
#18 0x0805d3f5 in ap_child_terminate () 
#19 0x0805dafd in main () 
#20 0x400f314f in __libc_start_main () from /lib/libc.so.6 
(gdb) print a 
$1 = (font_t *) 0x31 
(gdb) print b 
$2 = (fontkey_t *) 0xbfffd12c

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-04-09 21:16 UTC] iliaa@php.net

Can you replicate the problem using CLI sapi?

[2003-04-09 22:00 UTC] 1413 at blargh dot com

No - I converted the script to:

<?
/* Vertial Label maker */

$in = $_SERVER['argv'][1];

$im = ImageCreate(14,150);
$cBlack = ImageColorAllocate($im, 0, 0, 0);
$cWhite = ImageColorAllocate($im, 255, 255, 255);
$cBlue = ImageColorAllocate($im, 100, 100, 255);

ImageTTFText($im, 10, 90, 11, 150, $cWhite, "/var/www/prime/common/arialbd.ttf", $in);

Header("Content-type: image/png");

ImagePng($im);

ImageDestroy($im);

?>

and tried it hundreds of times without getting a segfault.  When going through Apache I get segfaults.

[2003-04-25 05:47 UTC] sniper@php.net

Reproduced with latest stable CVS:

(gdb) bt
#0  0x40442b0b in gdCacheGet (head=0x8409648, keydata=0xbfffca48) at /usr/src/web/php/php4/ext/gd/libgd/gdcache.c:101
#1  0x40441c1a in gdImageStringFTEx (im=0x83faf24, brect=0xbfffcbbc, fg=1, 
    fontlist=0x84034a4 "/usr/share/fonts/default/TrueType/arialbd.ttf", ptsize=10, angle=1.5707963267948966, x=11, 
    y=150, string=0x8400524 "foobar", strex=0x0) at /usr/src/web/php/php4/ext/gd/libgd/gdft.c:825
#2  0x40441a6b in gdImageStringFT (im=0x83faf24, brect=0xbfffcbbc, fg=1, 
    fontlist=0x84034a4 "/usr/share/fonts/default/TrueType/arialbd.ttf", ptsize=10, angle=1.5707963267948966, x=11, 
    y=150, string=0x8400524 "foobar") at /usr/src/web/php/php4/ext/gd/libgd/gdft.c:767
#3  0x4042d36a in php_imagettftext_common (ht=8, return_value=0x8403504, this_ptr=0x0, return_value_used=0, mode=0, 
    extended=0) at /usr/src/web/php/php4/ext/gd/gd.c:3058
#4  0x4042c822 in zif_imagettftext (ht=8, return_value=0x8403504, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php4/ext/gd/gd.c:2947
#5  0x405f5492 in execute (op_array=0x83fac7c) at /usr/src/web/php/php4/Zend/zend_execute.c:1606
#6  0x405e1f64 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php4/Zend/zend.c:864
#7  0x405a56b7 in php_execute_script (primary_file=0xbffff284) at /usr/src/web/php/php4/main/main.c:1637
#8  0x405faa50 in apache_php_module_main (r=0x82e532c, display_source_mode=0)
    at /usr/src/web/php/php4/sapi/apache/sapi_apache.c:55
#9  0x405fbb78 in send_php (r=0x82e532c, display_source_mode=0, filename=0x82e742c "/www/apache/htdocs/t.php")
    at /usr/src/web/php/php4/sapi/apache/mod_php4.c:617
#10 0x405fbc02 in send_parsed_php (r=0x82e532c) at /usr/src/web/php/php4/sapi/apache/mod_php4.c:632
#11 0x8054f09 in ap_invoke_handler () at md4.c:255
#12 0x806b0cf in process_request_internal () at md4.c:255
#13 0x806b13a in ap_process_request () at md4.c:255
#14 0x8061916 in child_main () at md4.c:255
#15 0x8061af5 in make_child () at md4.c:255
#16 0x8061c76 in startup_children () at md4.c:255
#17 0x806230d in standalone_main () at md4.c:255
#18 0x8062b9c in main () at md4.c:255
#19 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3, argv=0xbffff694, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff68c)
    at ../sysdeps/generic/libc-start.c:92
(gdb) list
96      {
97        int i = 0;
98        gdCache_element_t *elem, *prev = NULL, *prevprev = NULL;
99        void *userdata;
100     
101       elem = head->mru;
102       while (elem)
103         {
104           if ((*(head->gdCacheTest)) (elem->userdata, keydata))
105             {

[2003-04-25 05:48 UTC] sniper@php.net

Note: This happens on the 2nd run on same apache child.

[2003-04-30 11:44 UTC] rasmus@php.net

I think I just fixed this issue.  The bt doesn't look the same, but the fact that it only happens on the second request would indicate that it was getting a bogus cache pointer which is what I fixed.  Someone please verify that this doesn't happen under current CVS.

[2003-04-30 12:06 UTC] eru@php.net

Works for me now, no more segfaults.

[2003-04-30 12:15 UTC] eru@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

[2003-12-20 06:20 UTC] schneider_c at web dot de

Hi,

I'm seeing this same error with PHP 4.3.4 on Mac OS X.

bt:

#0  fontTest (element=0xf12c0300, key=0xbfffdd90) at 
gdft.c:337
#1  0x00b12c04 in gdCacheGet (head=0x2f6110, 
keydata=0xbfffdd90) at gdcache.c:108
#2  0x00b138f4 in gdImageStringFTEx (im=0x2be050, 
brect=0xbfffdf20, fg=2, fontlist=0x2bde20 "Helvetica", 
ptsize=40, angle=0, x=240, y=240, string=0x2bbcb0 
"HaLLO", strex=0x0) at gdft.c:856
#3  0x00b13784 in gdImageStringFT (im=0xf12c0300, 
brect=0xbfffdd90, fg=0, fontlist=0xb13364 "H", 
ptsize=1, angle=0.78539816339744839, x=240, y=240, 
string=0x2bbcb0 "HaLLO") at gdft.c:784
#4  0x010c07e0 in php_imagettftext_common (ht=11611140, 
return_value=0x2bde20, this_ptr=0x0, 
return_value_used=11613028, mode=1, 
extended=1325400064) at /usr/local/src/php-4.3.4/ext/
gd/gd.c:3059
#5  0x011a333c in execute (op_array=0xf0) at /usr/
local/src/php-4.3.4/Zend/zend_execute.c:1616
#6  0x01195100 in zend_execute_scripts (type=-
248773888, retval=0x0, file_count=3) at /usr/local/src/
php-4.3.4/Zend/zend.c:884
#7  0x01169d94 in php_execute_script 
(primary_file=0xbfffeac0) at /usr/local/src/php-4.3.4/
main/main.c:1729
#8  0x011a73dc in apache_php_module_main (r=0xf12c0300, 
display_source_mode=0) at /usr/local/src/php-4.3.4/
sapi/apache/sapi_apache.c:54
#9  0x011a80cc in send_php (r=0x156048, 
display_source_mode=0, filename=0x0) at /usr/local/src/
php-4.3.4/sapi/apache/mod_php4.c:620
#10 0x0000d0e0 in ap_invoke_handler ()
#11 0x00016e1c in process_request_internal ()
#12 0x00016eac in ap_process_request ()
#13 0x000066a0 in child_main ()
#14 0x00006860 in make_child ()
#15 0x000069cc in startup_children ()
#16 0x00006fc8 in standalone_main ()
#17 0x00007840 in main ()
#18 0x000026f8 in _start ()
#19 0x00002578 in start ()

I compiled php myself but used the Apple-provided 
apache 1.3.27. Configure options for php were:
./configure --prefix=/usr --sysconfdir=/etc --
localstatedir=/var --mandir=/usr/share/man --with-apxs 
--with-zlib --with-gd=/opt/local --with-jpeg-dir=/opt/
local --with-png-dir=/opt/local --with-freetype-dir=/
opt/local

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 27 11:00:01 2025 UTC