php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66625 imagescale() segmentation fault on 64bits environment
Submitted: 2014-02-02 03:50 UTC Modified: 2017-01-18 18:58 UTC
Votes:8
Avg. Score:4.6 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:3 (37.5%)
Same OS:4 (50.0%)
From: yoya at awm dot jp Assigned: cmb (profile)
Status: Duplicate Package: GD related
PHP Version: 5.5.8 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yoya at awm dot jp
New email:
PHP Version: OS:

 

 [2014-02-02 03:50 UTC] yoya at awm dot jp 
Description:
------------
* ext/gd.c
----
PHP_FUNCTION(imagescale)
{
        zval *IM;
        gdImagePtr im;
        gdImagePtr im_scaled;
        int new_width, new_height = -1;
        gdInterpolationMethod method = GD_BILINEAR_FIXED;

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|ll", &IM, &new_width, &new_height, &method) == FAILURE)  {
----

On 64 bits environment ,'l'(long) have 64 bits width, int and gdInterpolationMethod type have 32 bits, so IM pointer be destroyed by value of other variables.

This problem related to id:65171, I guess.
- https://bugs.php.net/bug.php?id=65171


Test script:
---------------
<?php

$data = file_get_contents($argv[1]);
$im = ImageCreateFromString($data);
$im2 = imagescale($im, 256, 192, IMG_NEAREST_NEIGHBOUR);
imagepng($im2, 'output.png');

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-24 22:47 UTC] mwanat at forall dot pl 
Confirmed on 64Bit CentOS & PHP 5.5.10
 [2016-06-06 18:43 UTC] cmb@php.net 
Related To: Bug #72337
 [2016-06-07 04:03 UTC] pajoye@php.net 
They are different issues. #72337 is about new width or height being zero.

This one is wrong type used for the new_width and height, as described precisely here.

Patches coming, running further tests.
 [2017-01-18 18:58 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2017-01-18 18:58 UTC] cmb@php.net 
This has already been fixed as resolution of bug #66890, so I'm
marking this ticket as duplicate.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 10:01:28 2024 UTC