PHP :: Bug #72337 :: segfault in gdImageScaleBicubicFixed at gd

Bug #72337

segfault in gdImageScaleBicubicFixed at gd_interpolation.c:1605

Submitted:

2016-06-05 21:12 UTC

Modified:

2016-07-12 17:55 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

brian dot carpenter at gmail dot com

Assigned:

ab (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

7.0Git-2016-06-05 (Git)

OS:

Debian 8.2 x64

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-06-05 21:12 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.1.0-dev (cli) (built: Jun  1 2016 04:52:26) with American Fuzzy Lop, this test case was found to cause a segfault.

Test script:
---------------
<?php
$img=imagecreatetruecolor(1,!0);imagescale($img,0,0,w^B);

Expected result:
----------------
No crash. 



Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
gdImageScaleBicubicFixed (src=0x7ffff5e77000, width=<optimized out>, height=<optimized out>)
    at /home/geeknik/php-src/ext/gd/libgd/gd_interpolation.c:1605
1605                                            c = src->tpixels[*(src_offset_y + _k)][*(src_offset_x + _k)];

(gdb) bt
#0  gdImageScaleBicubicFixed (src=0x7ffff5e77000, width=<optimized out>, height=<optimized out>)
    at /home/geeknik/php-src/ext/gd/libgd/gd_interpolation.c:1605
#1  0x0000000000e675c5 in gdImageScale (src=src@entry=0x7ffff5e77000, new_width=new_width@entry=0,
    new_height=new_height@entry=0) at /home/geeknik/php-src/ext/gd/libgd/gd_interpolation.c:1651
#2  0x0000000000d74b26 in zif_imagescale (execute_data=<optimized out>, return_value=0x7fffffffacd0)
    at /home/geeknik/php-src/ext/gd/gd.c:4674
#3  0x00000000018d9c96 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff5e13030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:616
#4  0x000000000187ba98 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:429
#5  0x0000000001a7b73c in zend_execute (op_array=op_array@entry=0x7ffff5e7f000,
    return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:471
#6  0x0000000001684641 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
    file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1427
#7  0x0000000001428538 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2492
#8  0x0000000001a85d65 in do_cli (argc=2, argv=0x22359f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:982
#9  0x00000000004561b5 in main (argc=2, argv=0x22359f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1352

(gdb) l
1600                                            if (f_fm1 > 0) f_d = gd_mulfx(f_fm1,gd_mulfx(f_fm1,f_fm1));
1601
1602                                            f_RX = gd_divfx((f_a-gd_mulfx(f_4,f_b)+gd_mulfx(f_6,f_c)-gd_mulfx(f_4,f_d)),f_6);
1603                                            f_R = gd_mulfx(f_RY,f_RX);
1604
1605                                            c = src->tpixels[*(src_offset_y + _k)][*(src_offset_x + _k)];
1606                                            f_rs = gd_itofx(gdTrueColorGetRed(c));
1607                                            f_gs = gd_itofx(gdTrueColorGetGreen(c));
1608                                            f_bs = gd_itofx(gdTrueColorGetBlue(c));
1609                                            f_ba = gd_itofx(gdTrueColorGetAlpha(c));


==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C46E: zend_register_default_exception (zend_exceptions.c:835)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C46E: zend_register_default_exception (zend_exceptions.c:835)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C8ED: zend_register_default_exception (zend_exceptions.c:853)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C8ED: zend_register_default_exception (zend_exceptions.c:853)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CAAF: zend_register_default_exception (zend_exceptions.c:857)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CAAF: zend_register_default_exception (zend_exceptions.c:857)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CC7E: zend_register_default_exception (zend_exceptions.c:861)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CC7E: zend_register_default_exception (zend_exceptions.c:861)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CE4A: zend_register_default_exception (zend_exceptions.c:865)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CE4A: zend_register_default_exception (zend_exceptions.c:865)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x17C3E3A: zend_register_generator_ce (zend_generators.c:1255)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x17C3E3A: zend_register_generator_ce (zend_generators.c:1255)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Use of uninitialised value of size 8
==18480==    at 0xE6685D: gdImageScaleBicubicFixed (gd_interpolation.c:1605)
==18480==    by 0xD74B25: zif_imagescale (gd.c:4674)
==18480==    by 0x18D9C95: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:616)
==18480==    by 0x187BA97: execute_ex (zend_vm_execute.h:429)
==18480==    by 0x1A7B73B: zend_execute (zend_vm_execute.h:471)
==18480==    by 0x1684640: zend_execute_scripts (zend.c:1427)
==18480==    by 0x1428537: php_execute_script (main.c:2492)
==18480==    by 0x1A85D64: do_cli (php_cli.c:982)
==18480==    by 0x4561B4: main (php_cli.c:1352)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0xE671D0: gdImageScale (gd_interpolation.c:1633)
==18480==
==18480== Use of uninitialised value of size 8
==18480==    at 0xE66896: gdImageScaleBicubicFixed (gd_interpolation.c:1605)
==18480==    by 0xD74B25: zif_imagescale (gd.c:4674)
==18480==    by 0x18D9C95: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:616)
==18480==    by 0x187BA97: execute_ex (zend_vm_execute.h:429)
==18480==    by 0x1A7B73B: zend_execute (zend_vm_execute.h:471)
==18480==    by 0x1684640: zend_execute_scripts (zend.c:1427)
==18480==    by 0x1428537: php_execute_script (main.c:2492)
==18480==    by 0x1A85D64: do_cli (php_cli.c:982)
==18480==    by 0x4561B4: main (php_cli.c:1352)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0xE65C70: gdImageScaleBicubicFixed (gd_interpolation.c:1397)
==18480==
==18480== Invalid read of size 4
==18480==    at 0xE66896: gdImageScaleBicubicFixed (gd_interpolation.c:1605)
==18480==    by 0xD74B25: zif_imagescale (gd.c:4674)
==18480==    by 0x18D9C95: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:616)
==18480==    by 0x187BA97: execute_ex (zend_vm_execute.h:429)
==18480==    by 0x1A7B73B: zend_execute (zend_vm_execute.h:471)
==18480==    by 0x1684640: zend_execute_scripts (zend.c:1427)
==18480==    by 0x1428537: php_execute_script (main.c:2492)
==18480==    by 0x1A85D64: do_cli (php_cli.c:982)
==18480==    by 0x4561B4: main (php_cli.c:1352)
==18480==  Address 0x40707201c is not stack'd, malloc'd or (recently) free'd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-06 18:43 UTC] cmb@php.net

-Status: Open +Status: Verified

[2016-06-06 18:43 UTC] cmb@php.net

I can confirm the issue (seems to affect older versions also).
The given test script is identical to:

    <?php
    $im = imagecreatetruecolor(1, 1);
    imagescale($im, 0, 0, IMG_BICUBIC_FIXED);

The issue might be related to bug #66625.

[2016-06-07 04:06 UTC] pajoye@php.net

They are different issues. This one is about new width or height being zero which may go through.

#66625 is about wrong type used for the new_width and height, as described precisely there.

Patches coming, running further tests.

[2016-06-07 10:44 UTC] pajoye@php.net

-Status: Verified +Status: Assigned -Assigned To: +Assigned To: ab

[2016-06-07 10:44 UTC] pajoye@php.net

Fixed in 5.6+

Must be merge to 5.5 but as it is security mode, I leave the choice to the RMs to merge it or not before the last release.

[2016-07-12 17:55 UTC] ab@php.net

-Status: Assigned +Status: Closed

[2016-07-12 17:55 UTC] ab@php.net

As discussed with Julien, this is not a security related issue, so won't be merged into 5.5.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC