php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75651 Segmentation fault with NextGen Gallery
Submitted: 2017-12-08 03:46 UTC Modified: 2018-05-05 21:50 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: benjamin at imagely dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 7.2.0 OS: FreeBSD 11.1
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: benjamin at imagely dot com
New email:
PHP Version: OS:

 

 [2017-12-08 03:46 UTC] benjamin at imagely dot com
Description:
------------
This happens with PHP 7.2.0

Configure Command =>  './configure'  '--with-layout=GNU' '--localstatedir=/var' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--enable-mysqlnd' '--with-libxml-dir=/usr/local' '--with-pcre-regex=/usr/local' '--with-password-argon2=/usr/local' '--program-prefix=' '--enable-fpm' '--with-fpm-user=www' '--with-fpm-group=www' '--enable-phpdbg' '--enable-phpdbg-debug' '--enable-debug' '--enable-dtrace' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CFLAGS=-pipe -g -fstack-protector -fno-strict-aliasing' 'CPPFLAGS=' 'CPP=cpp'

Using WordPress and NextGen Gallery I created a new WP-CLI command that executes the attached test script. Attempting to view a gallery display will also generate a segmentation fault.

Here is my gdb backtrace:
#0  0x000000080240c84a in thr_kill () from /lib/libc.so.7                                    
#1  0x000000080240c814 in raise () from /lib/libc.so.7                                       
#2  0x000000080240c789 in abort () from /lib/libc.so.7                                       
#3  0x0000000802487e61 in __assert () from /lib/libc.so.7                                    
#4  0x00000000007997e1 in zend_get_property_guard (zobj=0x817a63a40, member=0x8102ba5a0) at zend_object_handlers.c:518                                                                    
#5  0x000000000079dc69 in zend_std_get_property_ptr_ptr (object=0x802c21290, member=0x811840210, type=1, cache_slot=0x817ad2238) at zend_object_handlers.c:935                            
#6  0x000000000085a0f2 in zend_fetch_property_address (result=0x802c21320, container=0x802c21290, container_op_type=16, prop_ptr=0x811840210, prop_op_type=1, cache_slot=0x817ad2238,     
    type=1) at zend_execute.c:1926            
#7  0x00000000007ebb5a in ZEND_FETCH_OBJ_W_SPEC_CV_CONST_HANDLER (execute_data=0x802c21240) at zend_vm_execute.h:36148                                                                    
#8  0x00000000007a9cbb in execute_ex (ex=0x802c21240) at zend_vm_execute.h:59726             
#9  0x000000000072470a in zend_call_function (fci=0x7fffffffac08, fci_cache=0x7fffffffabe0) at zend_execute_API.c:817                                                                     
#10 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c211d0, return_value=0x802c211b0, variadic=0) at php_reflection.c:3221                                              #11 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c211d0, return_value=0x802c211b0) at php_reflection.c:3257                                                  #12 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c21110) at zend_vm_execute.h:1032                                                                     #13 0x00000000007a9cbb in execute_ex (ex=0x802c20fd0) at zend_vm_execute.h:59726             
#14 0x000000000072470a in zend_call_function (fci=0x7fffffffb048, fci_cache=0x7fffffffb020) at zend_execute_API.c:817                                                                     
#15 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c20f60, return_value=0x802c20f40, variadic=0) at php_reflection.c:3221                                              
#16 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c20f60, return_value=0x802c20f40) at php_reflection.c:3257                                                  
#17 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c20ea0) at zend_vm_execute.h:1032                                                                     
#18 0x00000000007a9cbb in execute_ex (ex=0x802c20cd0) at zend_vm_execute.h:59726             
#19 0x000000000072470a in zend_call_function (fci=0x7fffffffb488, fci_cache=0x7fffffffb460) at zend_execute_API.c:817                                                                     
#20 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c20c60, return_value=0x802c20c40, variadic=0) at php_reflection.c:3221                                              
#21 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c20c60, return_value=0x802c20c40) at php_reflection.c:3257                                                  
#22 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c20ba0) at zend_vm_execute.h:1032                                                                     
#23 0x00000000007a9cbb in execute_ex (ex=0x802c209e0) at zend_vm_execute.h:59726             
#24 0x000000000072470a in zend_call_function (fci=0x7fffffffb8c8, fci_cache=0x7fffffffb8a0) at zend_execute_API.c:817                                                                     
#25 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c20970, return_value=0x802c20950, variadic=0) at php_reflection.c:3221                                              
#26 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c20970, return_value=0x802c20950) at php_reflection.c:3257                                                  
#27 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c208b0) at zend_vm_execute.h:1032                                                                     
#28 0x00000000007a9cbb in execute_ex (ex=0x802c20710) at zend_vm_execute.h:59726             
#29 0x000000000072470a in zend_call_function (fci=0x7fffffffbc78, fci_cache=0x7fffffffbc50) at zend_execute_API.c:817                                                                     
#30 0x0000000000526341 in zif_call_user_func (execute_data=0x802c20690, return_value=0x7fffffffbcf0) at basic_functions.c:4844                                                            
#31 0x00000000008088e0 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x802c205e0) at zend_vm_execute.h:738                                                            
#32 0x00000000007a9cbb in execute_ex (ex=0x802c205e0) at zend_vm_execute.h:59726             
#33 0x000000000072470a in zend_call_function (fci=0x7fffffffbfa8, fci_cache=0x7fffffffbf80) at zend_execute_API.c:817                                                                     
#34 0x0000000000526341 in zif_call_user_func (execute_data=0x802c20560, return_value=0x7fffffffc020) at basic_functions.c:4844                                                            
#35 0x00000000008088e0 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x802c20430) at zend_vm_execute.h:738                                                            
#36 0x00000000007a9cbb in execute_ex (ex=0x802c20030) at zend_vm_execute.h:59726             
#37 0x00000000007a9e8d in zend_execute (op_array=0x802c81300, return_value=0x0) at zend_vm_execute.h:63763                                                                                
#38 0x0000000000742045 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:1496                                                                                          
#39 0x000000000069837b in php_execute_script (primary_file=0x7fffffffdda8) at main.c:2592    
#40 0x0000000000865a52 in do_cli (argc=4, argv=0x7fffffffe3e0) at php_cli.c:1011             
#41 0x0000000000864a8d in main (argc=4, argv=0x7fffffffe3e0) at php_cli.c:1404

Furthermore the segmentation fault appears to happen in our class.displayed_gallery.php when executing these two lines:
foreach ($this->object->display_settings as $key => $val)
    $display_type->settings[$key] = $val;

A die() statement placed before this foreach() will always succeed, but placed after this foreach() will never be reached. Additionally adding a simple counter ($i = 0... $i++..) to limit the above foreach() to exactly TWO iterations will succeed but the third will always fail.

Test script:
---------------
echo C_Displayed_Gallery_Renderer::get_instance()->display_images([
    'source' => 'galleries',
    'display_type' => NGG_BASIC_THUMBNAILS,
    'container_ids' => 4]);


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-08 18:43 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2017-12-08 18:43 UTC] ab@php.net
Thanks for the report. This seems to be a duplicate of bug #75573 which is fixed in dev only yet. Please check.

Thanks.
 [2018-05-05 21:50 UTC] requinix@php.net
-Status: Feedback +Status: No Feedback
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jan 15 11:01:31 2025 UTC