PHP :: Bug #15169 :: ImageCreateFromPng causes Segmentation Fault

Bug #15169	ImageCreateFromPng causes Segmentation Fault
Submitted:	2002-01-22 13:04 UTC	Modified:	2002-05-24 20:40 UTC
From:	uklaus at hgb-leipzig dot de	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	4.1.1	OS:	Solaris 2.6
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2002-01-22 13:04 UTC] uklaus at hgb-leipzig dot de

I built httpd daemon with php-4.1.1 with the following shared libraries

# ldd /usr/local/apache/bin/httpd
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libpdf.so.1 =>   /usr/local/lib/libpdf.so.1
        libtiff.so.3 =>  /usr/local/lib/libtiff.so.3
        libpng.so.3 =>   /usr/local/lib/libpng.so.3
        libz.so =>       /usr/local/lib/libz.so
        libmysqlclient.so.6 =>   /usr/local/mysql/lib/libmysqlclient.so.6
        libmcrypt.so.4 =>        /usr/local/lib/libmcrypt.so.4
        libltdl.so.3 =>  /usr/local/lib/libltdl.so.3
        libintl.so.1 =>  /usr/lib/libintl.so.1
        libt1.so.1 =>    /usr/local/lib/libt1.so.1
        libX11.so.4 =>   /usr/lib/libX11.so.4
        libXpm.so.4.10 =>        /usr/lib/libXpm.so.4.10
        libresolv.so.2 =>        /usr/lib/libresolv.so.2
        libm.so.1 =>     /usr/lib/libm.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libexpat.so.0 =>         /usr/local/lib/libexpat.so.0
        libucb.so.1 =>   /usr/ucblib/libucb.so.1
        libelf.so.1 =>   /usr/lib/libelf.so.1
        libXext.so.0 =>  /usr/openwin/lib/libXext.so.0
        libmp.so.2 =>    /usr/lib/libmp.so.2
        /usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1

If I execute the following php script

<?php
     $im = ImageCreateFromPng("testbild.png");
     ImagePng($im);
?>

the httpd daemon died with segmentation fault:
[Tue Jan 22 18:51:36 2002] [notice] child pid 26589 exit signal Segmentation Fault (11)

#gdb /usr/local/apache/bin/httpd
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.6"...(no debugging symbols found)...
(gdb) run -X -f /usr/local/apache/conf/httpd.conf
Starting program: /usr/local/apache/bin/httpd -X -f /usr/local/apache/conf/httpd.conf
(no debugging symbols found)...(no debugging symbols found)...warning: Lowest section in /usr/lib/libintl.so.1 is .dynamic at 0x74

Program received signal SIGSEGV, Segmentation fault.
0x59d3fec4 in ?? ()
(gdb) bt
#0  0x59d3fec4 in ?? ()
#1  0xef5f721c in png_create_write_struct_2 ()
#2  0xef5f7e28 in png_create_write_struct ()
#3  0x1ed6b0 in jpeg_std_error ()
#4  0x667c0 in _init ()
#5  0x68660 in _init ()
#6  0x13821c in flock ()
#7  0x116d98 in flock ()
#8  0x59f6c in _init ()
#9  0x121214 in flock ()
#10 0x564cc in _init ()
#11 0x56538 in _init ()
#12 0x19596c in flock ()
#13 0x1b3df8 in flock ()
#14 0x1b3e7c in flock ()
#15 0x1a72d0 in flock ()
#16 0x1a758c in flock ()
#17 0x1a77a8 in flock ()
#18 0x1a81dc in flock ()
#19 0x1a8e3c in flock ()
(gdb) q

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-01-22 13:19 UTC] bate@php.net

What libpng version are you using?
Try with latest version. (1.2.1

http://www.libpng.org/pub/png/libpng.html

[2002-01-22 13:24 UTC] uklaus at hgb-leipzig dot de

libpng-1.2.1 is used.

# ls -lai /usr/local/lib/libpng*
     79753 -rw-r--r--   1 root     other     205456 Jan 22 18:50 /usr/local/lib/libpng.a
     79886 lrwxrwxrwx   1 root     other         11 Jan 22 18:50 /usr/local/lib/libpng.so -> libpng.so.3
     79776 lrwxrwxrwx   1 root     other         17 Jan 22 18:50 /usr/local/lib/libpng.so.3 -> libpng.so.3.1.2.1
     79775 -rwxr-xr-x   1 root     other     177504 Jan 22 18:50 /usr/local/lib/libpng.so.3.1.2.1

[2002-01-22 13:43 UTC] bate@php.net

Can you try 1.2.0? I found some major updates.
----

CHANGES
version 1.2.1beta1 [October 19, 2001]
  Revised makefile.std in contrib/pngminus
  Include background_1 in png_struct regardless of gamma support.
  Revised makefile.netbsd and makefile.macosx, added makefile.darwin.
  Revised example.c to provide more details about using row_callback().
version 1.2.1beta2 [October 25, 2001]
  Added type cast to each NULL appearing in a function call, except for
    WINCE functions.
  Added makefile.so9.
version 1.2.1beta3 [October 27, 2001]
  Removed type casts from all NULLs.
  Simplified png_create_struct_2().
version 1.2.1beta4 [November 7, 2001]
  Revised png_create_info_struct() and png_creat_struct_2().
  Added error message if png_write_info() was omitted.
  Type cast NULLs appearing in function calls when _NO_PROTO or
    PNG_TYPECAST_NULL is defined.
version 1.2.1rc1 [November 24, 2001]
  Type cast NULLs appearing in function calls except when PNG_NO_TYPECAST_NULL
    is defined.
  Changed typecast of "size" argument to png_size_t in pngmem.c calls to
    the user malloc_fn, to agree with the prototype in png.h
  Added a pop/push operation to pnggccrd.c, to preserve Eflag (Maxim Sobolev)
  Updated makefile.sgi to recognize LIBPATH and INCPATH.
  Updated various makefiles so "make clean" does not remove previous major
    version of the shared library.
version 1.2.1rc2 [December 4, 2001]
  Added a pop/push operation to pngvcrd.c, to preserve Eflag.
  Always allocate 256-entry internal palette, hist, and trans arrays, to
    avoid out-of-bounds memory reference caused by invalid PNG datastreams.
  Added a check for prefix_length > data_length in iCCP chunk handler.
version 1.2.1 [December 12, 2001]
  None.

[2002-01-22 14:41 UTC] sander@php.net

status -> feedback

[2002-01-22 14:42 UTC] uklaus at hgb-leipzig dot de

With libpng-1.2.0 I get the following result:

gdb /usr/local/apache/bin/httpd
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.6"...(no debugging symbols found)...
(gdb) run -X -f /usr/local/apache/conf/httpd.conf
Starting program: /usr/local/apache/bin/httpd -X -f /usr/local/apache/conf/httpd.conf
(no debugging symbols found)...(no debugging symbols found)...warning: Lowest section in /usr/lib/libintl.so.1 is .dynamic at 0x74

Program received signal SIGBUS, Bus error.
0xef5ff7c8 in png_malloc ()
(gdb) bt
#0  0xef5ff7c8 in png_malloc ()
#1  0xef5f720c in png_create_write_struct_2 ()
#2  0xef5f7df8 in png_create_write_struct ()
#3  0x240770 in crypt ()
#4  0x66680 in _init ()
#5  0x68520 in _init ()
#6  0x147490 in flock ()
#7  0x12600c in flock ()
#8  0x59e2c in _init ()
#9  0x130488 in flock ()
#10 0x5638c in _init ()
#11 0x563f8 in _init ()
#12 0x1a4be0 in flock ()
#13 0x1c306c in flock ()
#14 0x1c30f0 in flock ()
#15 0x1b6544 in flock ()
#16 0x1b6800 in flock ()
#17 0x1b6a1c in flock ()
#18 0x1b7450 in flock ()
#19 0x1b80b0 in flock ()
(gdb) q

[2002-05-24 20:40 UTC] derick@php.net

This is an incompability between GD and libpng 1.2.x. Please downgrade libpng to 1.0.x

Not a bug in PHP > bogus.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 17 10:01:32 2024 UTC