PHP :: Bug #79945 :: using php wrappers in imagecreatefrompng causes segmentation fault

Bug #79945

using php wrappers in imagecreatefrompng causes segmentation fault

Submitted:

2020-08-08 14:55 UTC

Modified:

2020-08-09 11:26 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

yiyezhiqiu233 at gmail dot com

Assigned:

Status:

Closed

Package:

Streams related

PHP Version:

7.4.9

OS:

ubuntu 20.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yiyezhiqiu233 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2020-08-08 14:55 UTC] yiyezhiqiu233 at gmail dot com

Description:
------------
I try to use PHP wrappers in imagecreatefrompng, such as php://filter
but in some cases it can stably cause segmentation fault

Test script:
---------------
<?php
$a = "php://filter/read=convert.base64-encode/resource=/etc/passwd";
imagecreatefrompng($a); 

Expected result:
----------------
PHP Warning:  imagecreatefrompng(): '/etc/passwd' is not a valid PNG file in gd.php on line 3

Actual result:
--------------
[1]    945 segmentation fault  php gd.php

Patches

Pull Requests

Pull requests:

Fix bug #79945: Stream wrappers in imagecreatefrompng causes segfault (php-src/12696)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-08-08 18:52 UTC] requinix@php.net

-Status: Open +Status: Verified -Package: GD related +Package: Streams related

[2020-08-08 18:52 UTC] requinix@php.net

Stack overflow

(gdb) bt 20
#0  0x0000000008613978 in _php_stream_seek (stream=0x0, offset=0, whence=0) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1303
#1  0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7ef3f8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#2  0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#3  0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#4  0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#5  0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#6  0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7ef8e8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#7  0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#8  0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#9  0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#10 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#11 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7efdd8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#12 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#13 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#14 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#15 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#16 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7f02c8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#17 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#18 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#19 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
(More stack frames follow...)

(gdb) bt -20
#33099 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#33100 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#33101 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7ffffffea238, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#33102 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#33103 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#33104 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#33105 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#33106 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7ffffffea728, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#33107 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#33108 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#33109 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#33110 0x00000000082e56d2 in _php_image_create_from (execute_data=0x7ffff4c130a0, return_value=0x7ffffffea880, image_type=2, tn=0x8dc40fa "PNG", func_p=0x82f988c <php_gd_gdImageCreateFromPng>, ioctx_func_p=0x82f991f <php_gd_gdImageCreateFromPngCtx>)
    at /home/ubuntu/php/php-7.4.9-src/ext/gd/gd.c:2525
#33111 0x00000000082e5808 in zif_imagecreatefrompng (execute_data=0x7ffff4c130a0, return_value=0x7ffffffea880) at /home/ubuntu/php/php-7.4.9-src/ext/gd/gd.c:2566
#33112 0x0000000008704e3e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/ubuntu/php/php-7.4.9-src/Zend/zend_vm_execute.h:1269
#33113 0x000000000876ad09 in execute_ex (ex=0x7ffff4c13020) at /home/ubuntu/php/php-7.4.9-src/Zend/zend_vm_execute.h:53736
#33114 0x000000000876ee5d in zend_execute (op_array=0x7ffff4c80300, return_value=0x0) at /home/ubuntu/php/php-7.4.9-src/Zend/zend_vm_execute.h:57856
#33115 0x0000000008691565 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/ubuntu/php/php-7.4.9-src/Zend/zend.c:1672
#33116 0x00000000085f27a3 in php_execute_script (primary_file=0x7ffffffed020) at /home/ubuntu/php/php-7.4.9-src/main/main.c:2621
#33117 0x0000000008771a72 in do_cli (argc=2, argv=0x962c870) at /home/ubuntu/php/php-7.4.9-src/sapi/cli/php_cli.c:964
#33118 0x0000000008772c34 in main (argc=2, argv=0x962c870) at /home/ubuntu/php/php-7.4.9-src/sapi/cli/php_cli.c:1359

[2020-08-09 11:26 UTC] cmb@php.net

This looks indeed to be general issue with fopencookie() support
in our stream layer (opposed to being a particular issue with GD).
The following backtrace excerpt with a debug build clarifies:

stream_cookie_seeker(void * cookie, off64_t * position, int whence) (\mnt\d\git\php\php-src\main\streams\cast.c:109)
libc.so.6!_IO_cookie_seek(_IO_FILE * fp, __off64_t offset, int dir) (\build\glibc-77giwP\glibc-2.24\libio\iofopncook.c:89)
libc.so.6!_IO_new_file_sync(_IO_FILE * fp) (\build\glibc-77giwP\glibc-2.24\libio\fileops.c:890)
libc.so.6!__GI__IO_fflush(_IO_FILE * fp) (\build\glibc-77giwP\glibc-2.24\libio\iofflush.c:40)
_php_stream_seek(php_stream * stream, zend_off_t offset, int whence) (\mnt\d\git\php\php-src\main\streams\streams.c:1306)
stream_cookie_seeker(void * cookie, off64_t * position, int whence) (\mnt\d\git\php\php-src\main\streams\cast.c:109)

This is triggered by ext/gd calling fflush(), which calls back to
stream_cookie_seeker() which calls _php_stream_seek(), which in
turn calls fflush, resulting in infinite recursion.

[2023-11-17 12:56 UTC] bukka@php.net

The following pull request has been associated:

Patch Name: Fix bug #79945: Stream wrappers in imagecreatefrompng causes segfault
On GitHub:  https://github.com/php/php-src/pull/12696
Patch:      https://github.com/php/php-src/pull/12696.patch

[2023-11-17 13:43 UTC] git@php.net

Automatic comment on behalf of bukka
Revision: https://github.com/php/php-src/commit/6734880ef5c7a949f66e5a4b0dd1983fb486c46a
Log: Fix bug #79945: Stream wrappers in imagecreatefrompng causes segfault

[2023-11-17 13:43 UTC] git@php.net

-Status: Verified +Status: Closed

[2023-11-23 03:36 UTC] git@php.net

Automatic comment on behalf of bukka (author) and ramsey (committer)
Revision: https://github.com/php/php-src/commit/a7a6151c4f3455ffc1dd2c14daaebf00939e6e7a
Log: Fix bug #79945: Stream wrappers in imagecreatefrompng causes segfault

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC