PHP :: Bug #38212 :: Seg Fault on invalid imagecreatefromgd2part() parameters

Bug #38212	Seg Fault on invalid imagecreatefromgd2part() parameters
Submitted:	2006-07-25 18:34 UTC	Modified:	2006-07-26 08:54 UTC
From:	seth at pricepages dot org	Assigned:	pajoye (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.1.4	OS:	Mac 10.4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	seth at pricepages dot org
New email:
PHP Version:		OS:

New Comment:

[2006-07-25 18:34 UTC] seth at pricepages dot org

Description:
------------
A call to imagecreatefromgd2part() with invalid parameters 
(a negative width) causes it to request a negative sized 
chunk of memory, and therefore crash.

Reproduce code:
---------------
<?php
//Image file provided on request
$im = imagecreatefromgd2part('test.gd2', 0,0, -25,100);
?>

Actual result:
--------------
(gdb) bt
#0  0xffff8660 in ___bzero () at /System/Library/Frameworks/
System.framework/PrivateHeaders/ppc/cpu_capabilities.h:187
#1  0x0223a6b8 in _ecalloc (nmemb=19935848, size=4294967247, 
__zend_filename=0x2345654 "/usr/local/php/php-5.1.4/ext/gd/
libgd/gd.c", __zend_lineno=135, __zend_orig_filename=0x0, 
__zend_orig_lineno=19935848) at /usr/local/php/php-5.1.4/
Zend/zend_alloc.c:325
#2  0x0207691c in php_gd_gdImageCreate (sx=-25, sy=125) at /
usr/local/php/php-5.1.4/ext/gd/libgd/gd.c:135
#3  0x0208178c in php_gd_gdImageCreateFromGd2PartCtx 
(in=0x11fee18, srcx=0, srcy=425, w=-25, h=125) at /usr/
local/php/php-5.1.4/ext/gd/libgd/gd_gd2.c:447
#4  0x02081dfc in php_gd_gdImageCreateFromGd2Part 
(inFile=0x1303268, srcx=0, srcy=425, w=-25, h=125) at /usr/
local/php/php-5.1.4/ext/gd/libgd/gd_gd2.c:405
#5  0x0206c700 in _php_image_create_from (ht=19959208, 
return_value=0x11fd368, return_value_ptr=0xf, this_ptr=0x5, 
return_value_used=0, image_type=10, tn=0x234530c "GD2", 
func_p=0x2081dc0 <php_gd_gdImageCreateFromGd2Part>, 
ioctx_func_p=0x20816f0 <php_gd_gdImageCreateFromGd2PartCtx>) 
at /usr/local/php/php-5.1.4/ext/gd/gd.c:1628
#6  0x0206c80c in zif_imagecreatefromgd2part (ht=19935848, 
return_value=0xffffffcf, return_value_ptr=0xf, this_ptr=0x5, 
return_value_used=0) at /usr/local/php/php-5.1.4/ext/gd/
gd.c:1750
#7  0x02279f94 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfffd878) at /usr/local/php/php-5.1.4/Zend/
zend_vm_execute.h:200
#8  0x02279788 in execute (op_array=0x1148c58) at /usr/
local/php/php-5.1.4/Zend/zend_vm_execute.h:92

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-07-26 08:54 UTC] pajoye@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC