PHP :: Bug #75651 :: Segmentation fault with NextGen Gallery

Bug #75651

Segmentation fault with NextGen Gallery

Submitted:

2017-12-08 03:46 UTC

Modified:

2018-05-05 21:50 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	0 (0.0%)

From:

benjamin at imagely dot com

Assigned:

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

7.2.0

OS:

FreeBSD 11.1

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	benjamin at imagely dot com
New email:
PHP Version:		OS:

New Comment:

[2017-12-08 03:46 UTC] benjamin at imagely dot com

Description:
------------
This happens with PHP 7.2.0

Configure Command =>  './configure'  '--with-layout=GNU' '--localstatedir=/var' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--enable-mysqlnd' '--with-libxml-dir=/usr/local' '--with-pcre-regex=/usr/local' '--with-password-argon2=/usr/local' '--program-prefix=' '--enable-fpm' '--with-fpm-user=www' '--with-fpm-group=www' '--enable-phpdbg' '--enable-phpdbg-debug' '--enable-debug' '--enable-dtrace' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CFLAGS=-pipe -g -fstack-protector -fno-strict-aliasing' 'CPPFLAGS=' 'CPP=cpp'

Using WordPress and NextGen Gallery I created a new WP-CLI command that executes the attached test script. Attempting to view a gallery display will also generate a segmentation fault.

Here is my gdb backtrace:
#0  0x000000080240c84a in thr_kill () from /lib/libc.so.7                                    
#1  0x000000080240c814 in raise () from /lib/libc.so.7                                       
#2  0x000000080240c789 in abort () from /lib/libc.so.7                                       
#3  0x0000000802487e61 in __assert () from /lib/libc.so.7                                    
#4  0x00000000007997e1 in zend_get_property_guard (zobj=0x817a63a40, member=0x8102ba5a0) at zend_object_handlers.c:518                                                                    
#5  0x000000000079dc69 in zend_std_get_property_ptr_ptr (object=0x802c21290, member=0x811840210, type=1, cache_slot=0x817ad2238) at zend_object_handlers.c:935                            
#6  0x000000000085a0f2 in zend_fetch_property_address (result=0x802c21320, container=0x802c21290, container_op_type=16, prop_ptr=0x811840210, prop_op_type=1, cache_slot=0x817ad2238,     
    type=1) at zend_execute.c:1926            
#7  0x00000000007ebb5a in ZEND_FETCH_OBJ_W_SPEC_CV_CONST_HANDLER (execute_data=0x802c21240) at zend_vm_execute.h:36148                                                                    
#8  0x00000000007a9cbb in execute_ex (ex=0x802c21240) at zend_vm_execute.h:59726             
#9  0x000000000072470a in zend_call_function (fci=0x7fffffffac08, fci_cache=0x7fffffffabe0) at zend_execute_API.c:817                                                                     
#10 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c211d0, return_value=0x802c211b0, variadic=0) at php_reflection.c:3221                                              #11 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c211d0, return_value=0x802c211b0) at php_reflection.c:3257                                                  #12 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c21110) at zend_vm_execute.h:1032                                                                     #13 0x00000000007a9cbb in execute_ex (ex=0x802c20fd0) at zend_vm_execute.h:59726             
#14 0x000000000072470a in zend_call_function (fci=0x7fffffffb048, fci_cache=0x7fffffffb020) at zend_execute_API.c:817                                                                     
#15 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c20f60, return_value=0x802c20f40, variadic=0) at php_reflection.c:3221                                              
#16 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c20f60, return_value=0x802c20f40) at php_reflection.c:3257                                                  
#17 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c20ea0) at zend_vm_execute.h:1032                                                                     
#18 0x00000000007a9cbb in execute_ex (ex=0x802c20cd0) at zend_vm_execute.h:59726             
#19 0x000000000072470a in zend_call_function (fci=0x7fffffffb488, fci_cache=0x7fffffffb460) at zend_execute_API.c:817                                                                     
#20 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c20c60, return_value=0x802c20c40, variadic=0) at php_reflection.c:3221                                              
#21 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c20c60, return_value=0x802c20c40) at php_reflection.c:3257                                                  
#22 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c20ba0) at zend_vm_execute.h:1032                                                                     
#23 0x00000000007a9cbb in execute_ex (ex=0x802c209e0) at zend_vm_execute.h:59726             
#24 0x000000000072470a in zend_call_function (fci=0x7fffffffb8c8, fci_cache=0x7fffffffb8a0) at zend_execute_API.c:817                                                                     
#25 0x000000000049d15b in reflection_method_invoke (execute_data=0x802c20970, return_value=0x802c20950, variadic=0) at php_reflection.c:3221                                              
#26 0x000000000049d2df in zim_reflection_method_invokeArgs (execute_data=0x802c20970, return_value=0x802c20950) at php_reflection.c:3257                                                  
#27 0x00000000007d7a7b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x802c208b0) at zend_vm_execute.h:1032                                                                     
#28 0x00000000007a9cbb in execute_ex (ex=0x802c20710) at zend_vm_execute.h:59726             
#29 0x000000000072470a in zend_call_function (fci=0x7fffffffbc78, fci_cache=0x7fffffffbc50) at zend_execute_API.c:817                                                                     
#30 0x0000000000526341 in zif_call_user_func (execute_data=0x802c20690, return_value=0x7fffffffbcf0) at basic_functions.c:4844                                                            
#31 0x00000000008088e0 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x802c205e0) at zend_vm_execute.h:738                                                            
#32 0x00000000007a9cbb in execute_ex (ex=0x802c205e0) at zend_vm_execute.h:59726             
#33 0x000000000072470a in zend_call_function (fci=0x7fffffffbfa8, fci_cache=0x7fffffffbf80) at zend_execute_API.c:817                                                                     
#34 0x0000000000526341 in zif_call_user_func (execute_data=0x802c20560, return_value=0x7fffffffc020) at basic_functions.c:4844                                                            
#35 0x00000000008088e0 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x802c20430) at zend_vm_execute.h:738                                                            
#36 0x00000000007a9cbb in execute_ex (ex=0x802c20030) at zend_vm_execute.h:59726             
#37 0x00000000007a9e8d in zend_execute (op_array=0x802c81300, return_value=0x0) at zend_vm_execute.h:63763                                                                                
#38 0x0000000000742045 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:1496                                                                                          
#39 0x000000000069837b in php_execute_script (primary_file=0x7fffffffdda8) at main.c:2592    
#40 0x0000000000865a52 in do_cli (argc=4, argv=0x7fffffffe3e0) at php_cli.c:1011             
#41 0x0000000000864a8d in main (argc=4, argv=0x7fffffffe3e0) at php_cli.c:1404

Furthermore the segmentation fault appears to happen in our class.displayed_gallery.php when executing these two lines:
foreach ($this->object->display_settings as $key => $val)
    $display_type->settings[$key] = $val;

A die() statement placed before this foreach() will always succeed, but placed after this foreach() will never be reached. Additionally adding a simple counter ($i = 0... $i++..) to limit the above foreach() to exactly TWO iterations will succeed but the third will always fail.

Test script:
---------------
echo C_Displayed_Gallery_Renderer::get_instance()->display_images([
    'source' => 'galleries',
    'display_type' => NGG_BASIC_THUMBNAILS,
    'container_ids' => 4]);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-12-08 18:43 UTC] ab@php.net

-Status: Open +Status: Feedback

[2017-12-08 18:43 UTC] ab@php.net

Thanks for the report. This seems to be a duplicate of bug #75573 which is fixed in dev only yet. Please check.

Thanks.

[2018-05-05 21:50 UTC] requinix@php.net

-Status: Feedback +Status: No Feedback

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 15 14:01:30 2025 UTC