php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34042 Crash in imagettftext due to type overflow.
Submitted: 2005-08-08 20:49 UTC Modified: 2005-08-09 23:17 UTC
From: php at fiddaman dot net Assigned:
Status: Closed Package: GD related
PHP Version: 5.0.4 OS: Solaris 9
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at fiddaman dot net
New email:
PHP Version: OS:

 

 [2005-08-08 20:49 UTC] php at fiddaman dot net 
Description:
------------
Same problem as bug #32893 (which was for PHP4).
zend_parse_va_args is called with a template of "l" but a pointer to int which isn't large enough to hold the result.

A patch which fixes this.

--- ext/gd/gd.c~        2005-05-01 11:36:21.134419000 +0000
+++ ext/gd/gd.c 2005-05-01 11:42:37.369849000 +0000
@@ -3017,7 +3017,8 @@
 {
        zval *IM, *EXT = NULL;
        gdImagePtr im=NULL;
-       int col = -1, x = -1, y = -1, str_len, fontname_len, i,
brect[8];
+       long col = -1, x = -1, y = -1;
+       int str_len, fontname_len, i, brect[8];
        double ptsize, angle;
        unsigned char *str = NULL, *fontname = NULL;
        char *error = NULL;

Reproduce code:
---------------
<?php
        $img = imagecreate(400, 70);
        imagettftext($img, 11/81*64, 0, 0, 27, 0, "/dev/null", "test");
?>

Actual result:
--------------
251                                                     *p = Z_LVAL_PP(arg);
(gdb) where
#0  0x0000000100229e54 in zend_parse_va_args (num_args=4,
    type_spec=0x1002e4db3 "lllss|a", va=0xffffffff7fffea18, flags=0)
    at /spool/src/build/php-5.0.4/Zend/zend_API.c:251
#1  0x000000010022ac28 in zend_parse_parameters (num_args=8,
    type_spec=0x1002e4db0 "rddlllss|a")
    at /spool/src/build/php-5.0.4/Zend/zend_API.c:571
#2  0x000000010008f730 in php_imagettftext_common (ht=8,
    return_value=0x100796328, this_ptr=0x0, return_value_used=0, mode=0,
    extended=0) at /spool/src/build/php-5.0.4/ext/gd/gd.c:3134
#3  0x0000000100260468 in zend_do_fcall_common_helper (
    execute_data=0xffffffff7fffef80, opline=0x10079d5a8, op_array=0x100798c08)
    at /spool/src/build/php-5.0.4/Zend/zend_execute.c:2727
#4  0x00000001002608d8 in zend_do_fcall_handler (
    execute_data=0xffffffff7fffef80, opline=0x10079d5a8, op_array=0x100798c08)
    at /spool/src/build/php-5.0.4/Zend/zend_execute.c:2859
#5  0x000000010024ddec in execute (op_array=0x100798c08)
    at /spool/src/build/php-5.0.4/Zend/zend_execute.c:1406
#6  0x00000001002291f0 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /spool/src/build/php-5.0.4/Zend/zend.c:1069
#7  0x00000001001e8f90 in php_execute_script (primary_file=0xffffffff7ffffa80)
    at /spool/src/build/php-5.0.4/main/main.c:1632
#8  0x000000010026adb8 in main (argc=1, argv=0xffffffff7ffffb88)
    at /spool/src/build/php-5.0.4/sapi/cli/php_cli.c:946

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-08 20:56 UTC] tony2001@php.net 
It was fixed in 5.x even before 4.x.
 [2005-08-08 21:20 UTC] php at fiddaman dot net 
That doesn't make sense as my newly compiled 5.0.4 was crashing at the same place, and modifying gd.c fixed it.

The back-trace I've posted below is from the 5.0.4 binary and the code in ext/gd/gd.c as distributed definitely defines col, x, y as int instead of long.

I'm using a 64-bit architecture so sizeof(int) != sizeof(long)..
 [2005-08-08 22:43 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2005-08-09 23:17 UTC] php at fiddaman dot net 
That snapshot works fine, thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Feb 05 15:01:32 2025 UTC