PHP :: Bug #58823 :: reading one favicon image crashes apache

Bug #58823	reading one favicon image crashes apache
Submitted:	2009-08-21 20:44 UTC	Modified:	2009-08-25 12:46 UTC
From:	guozheng dot ge at gmail dot com	Assigned:
Status:	Closed	Package:	imagick (PECL)
PHP Version:	5.2.6	OS:	rhel-4.x
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	guozheng dot ge at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-08-21 20:44 UTC] guozheng dot ge at gmail dot com

Description:
------------
reading this favicon crashes apache server: 
http://www.japantravelinfo.com/favicon.ico

Please try it with the reproduce code.

Using PHP 5.2.6, Imagick 2.2.2RC1, ImageMagick 6.2.9 
12/17/07 Q16 

I think this is an ImageMagick bug, from strace, it is 
trying to write a temp magick-XXZDUO8a file into /tmp 
directory, but the file size is 336185 TB.

The same File size limit exceeded error is reported if you 
run command line "identify --verbose favicon.ico" too.

Is it possible to catch this error and throw an 
ImagickException so that we can catch this problem in the 
PHP code?

========== tail of strace ==========
stat64("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.la", {st_mode=S_IFREG|0755, st_size=939, 
...}) = 0
access("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.la", F_OK) = 0
open("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.la", O_RDONLY|O_LARGEFILE) = 11
fstat64(11, {st_mode=S_IFREG|0755, st_size=939, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fbf000
read(11, "# yuv.la - a libtool library fil"..., 4096) = 939
read(11, "", 4096)                      = 0
close(11)                               = 0
munmap(0xb7fbf000, 4096)                = 0
open("/usr/local/lib/yuv.a", O_RDONLY)  = -1 ENOENT (No such 
file or directory)
open("/home/y/lib/yuv.a", O_RDONLY)     = -1 ENOENT (No such 
file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 11
fstat64(11, {st_mode=S_IFREG|0644, st_size=43515, ...}) = 0
old_mmap(NULL, 43515, PROT_READ, MAP_PRIVATE, 11, 0) = 
0xb7f9d000
close(11)                               = 0
open("/lib/tls/i686/yuv.a", O_RDONLY)   = -1 ENOENT (No such 
file or directory)
open("/lib/tls/yuv.a", O_RDONLY)        = -1 ENOENT (No such 
file or directory)
open("/lib/i686/yuv.a", O_RDONLY)       = -1 ENOENT (No such 
file or directory)
open("/lib/yuv.a", O_RDONLY)            = -1 ENOENT (No such 
file or directory)
open("/usr/lib/tls/i686/yuv.a", O_RDONLY) = -1 ENOENT (No 
such file or directory)
open("/usr/lib/tls/yuv.a", O_RDONLY)    = -1 ENOENT (No such 
file or directory)
open("/usr/lib/sse2/yuv.a", O_RDONLY)   = -1 ENOENT (No such 
file or directory)
open("/usr/lib/yuv.a", O_RDONLY)        = -1 ENOENT (No such 
file or directory)
munmap(0xb7f9d000, 43515)               = 0
open("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.so", O_RDONLY) = 11
read(11, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\16"...,
 
512) = 512
fstat64(11, {st_mode=S_IFREG|0755, st_size=12960, ...}) = 0
old_mmap(NULL, 15896, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x163e000
old_mmap(0x1641000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x2000) = 0x1641000
close(11)                               = 0
time(NULL)                              = 1250900828
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
stat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=94208, 
...}) = 0
open("/tmp/magick-XXZDUO8a", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 11
_llseek(11, 0, [0], SEEK_END)           = 0
pwrite64(11, "\0", 1, 369639430836715519) = -1 EFBIG (File 
too large)
--- SIGXFSZ (File size limit exceeded) @ 0 (0) ---
+++ killed by SIGXFSZ +++
Process 14567 detached


========== gdb info =============
Program received signal SIGXFSZ, File size limit exceeded.
[Switching to Thread -1208936768 (LWP 13805)]
0x00826402 in __kernel_vsyscall ()
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) bt
#0  0x00826402 in __kernel_vsyscall ()
#1  0x006f3152 in pwrite64 () from /lib/tls/libpthread.so.0
#2  0x0197dd86 in SetImageVirtualPixelMethod () from 
/usr/local/lib/libMagick.so.10
#3  0x0197e8d4 in SetImageVirtualPixelMethod () from 
/usr/local/lib/libMagick.so.10
#4  0x0197eb5a in SetCacheNexus () from 
/usr/local/lib/libMagick.so.10
#5  0x0197fb29 in SetImagePixels () from 
/usr/local/lib/libMagick.so.10
#6  0x0197fa0a in SetImagePixels () from 
/usr/local/lib/libMagick.so.10
#7  0x019f8644 in SetImageStorageClass () from 
/usr/local/lib/libMagick.so.10
#8  0x019f873b in AllocateImageColormap () from 
/usr/local/lib/libMagick.so.10
#9  0x00d96667 in ?? () from /usr/local/lib/ImageMagick-
6.2.9/modules-Q16/coders/icon.so
#10 0x0885b480 in ?? ()
#11 0x00000010 in ?? ()
#12 0x00000000 in ?? ()
(gdb)

Reproduce code:
---------------
<?php
try
{
    $im = new Imagick();
    $im->setFormat('ico');

	//this crashed yapache and no Exception was thrown
    $content = file_get_contents('favicon-japantravel.ico'); 
    $im->readImageBlob($content);
    $im->flattenImages();
    $im->setFormat('png');
    header('Content-Type: image/png');
    header('Content-Length: ' . strlen($content));
    echo $content;
}
catch (Exception $ex)
{   
    header('Content-Type: text/plain');
    $content = 'error happened: ' . print_r($ex, true);
    header('Content-Length: ' . strlen($content));
    echo $content;
}
?>

Expected result:
----------------
I think the image is corrupted, but is it possible for Imagick 
to throw an Exception instead of silently crashing apache?

Actual result:
--------------
apache crashes

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-08-24 16:04 UTC] mkoppanen@php.net

Does this happen with newer ImageMagick / Imagick? 6.2.9 is a really old version of ImageMagick and there is not much I can help with that.

[2009-08-25 12:43 UTC] guozheng dot ge at gmail dot com

tried the latest ImageMagick and Imagick:

ImageMagick 6.5.2-0 2009-05-20 Q16
Imagick 2.3.0

the new version of Imagick can capture the Exception 
correctly, will try to upgrade my ImageMagick and Imagick

closing the bug and thanks for the feedback

[2009-08-25 12:46 UTC] guozheng dot ge at gmail dot com

upgrading imagick could catch the Exception

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 08:01:34 2025 UTC