PHP :: Bug #73566 :: Crash Null Deref

Bug #73566

Crash Null Deref

Submitted:

2016-11-19 20:15 UTC

Modified:

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

honor dot ston3 at gmail dot com

Assigned:

Status:

Open

Package:

gmagick (PECL)

PHP Version:

7.0.13

OS:

*nix

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	honor dot ston3 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-19 20:15 UTC] honor dot ston3 at gmail dot com

Description:
------------
The following commands lead to crash.

php test.php test.png

Test script:
---------------
<?php
  $image = new Gmagick();
  $image->readImage($argv[1]);
  $image->rotateImage('red', null);
  $image->resizeimage(200,200,0xfffffff,0);
  $image->writeImage('new.png');
  $image->destroy();
?>


Expected result:
----------------
php: magick/resize.c:1312: ResizeImage: Assertion `((int) filter >= 0) && ((int) filter <= SincFilter)' failed.
Magick: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)

Actual result:
--------------
(gdb) bt
#0  0xb7fdac31 in __kernel_vsyscall ()
#1  0xb7900e89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#2  0xb79023e7 in __GI_abort () at abort.c:89
#3  0xb78f9d07 in __assert_fail_base (fmt=0xb7a34258 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=0xb55e9750 "((int) filter >= 0) && ((int) filter <= SincFilter)", 
    file=0xb55e9675 "magick/resize.c", line=1312, function=0xb55e9a78 "ResizeImage") at assert.c:92
#4  0xb78f9d8b in __GI___assert_fail (
    assertion=0xb55e9750 "((int) filter >= 0) && ((int) filter <= SincFilter)", 
    file=0xb55e9675 "magick/resize.c", line=1312, function=0xb55e9a78 "ResizeImage") at assert.c:101
#5  0xb54a9a36 in ResizeImage () from /usr/lib/libGraphicsMagick-Q16.so.3
#6  0xb5763221 in MagickResizeImage () from /usr/lib/libGraphicsMagickWand-Q16.so.2
#7  0xb578ef70 in zim_gmagick_resizeimage () from /usr/lib/php/20151012/gmagick.so
#8  0x80289662 in execute_internal ()
#9  0x801e2dce in dtrace_execute_internal ()
#10 0x8027af65 in ?? ()
#11 0x802336da in execute_ex ()
#12 0x801e2c35 in dtrace_execute_ex ()
#13 0x8028b1b6 in zend_execute ()
#14 0x801f310d in zend_execute_scripts ()
#15 0x80192054 in php_execute_script ()
#16 0x8028d01f in ?? ()
#17 0x8006c64f in main ()

(gdb) info reg
eax            0x0	0
ecx            0x63db	25563
edx            0x6	6
ebx            0x63db	25563
esp            0xbfffb648	0xbfffb648
ebp            0x805167b0	0x805167b0
esi            0xb5c22000	-1245569024
edi            0xbfffb704	-1073760508
eip            0xb7fdac31	0xb7fdac31 <__kernel_vsyscall+9>
eflags         0x200206	[ PF IF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

Patches

Pull Requests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 22 22:01:30 2024 UTC