php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #18238 Apache segfaults on Ming code
Submitted: 2002-07-09 06:25 UTC Modified: 2002-07-09 09:23 UTC
From: twan at bitpress dot nl Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 4.2.1 OS: Debian/GNU Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-07-09 06:25 UTC] twan at bitpress dot nl 
L.S.,

In a futile attempt to make a clickable image in a Flash movie, I encountered something I think should not happen at all. While I may be unexperienced using Ming and am probably doing something wrong in my efforts, a segmentation fault I think is not appropriate :)

[Tue Jul  9 11:45:18 2002] [notice] child pid 6277 exit signal Segmentation fault (11)

I am running Apache 1.3.26-1, PHP 4.2.1-3 and Ming 0.2a.cvs20020110-3 on a Debian/GNU Linux system. Each time the following script is executed, the Apache childe crashes with a segmentation fault:

<?php

$filename = "result.jpg";

$fp = fopen($filename,"r");
$i = fread($fp,999999);
$img = new SWFBitmap($i); #don't give "fread(...)" as argument, but buffer it.
fclose($fp);

$s = new SWFShape();
#$s->setRightFill($s->addFill(0xff, 0, 0));
#$s->drawLine(100,0);
#$s->drawLine(0,100);
#$s->drawLine(-100,0);
#$s->drawLine(0,-100);
$s->setLeftFill($s->addFill($img));

$b = new SWFButton();
$b->addShape($s, SWFBUTTON_HIT | SWFBUTTON_UP | SWFBUTTON_DOWN | SWFBUTTON_OVER);

$b->addAction(new SWFAction("startDrag('/test', 0);"), // '0' means don't lock to mouse
        SWFBUTTON_MOUSEDOWN);

$b->addAction(new SWFAction("stopDrag();"),
        SWFBUTTON_MOUSEUP | SWFBUTTON_MOUSEUPOUTSIDE);

$p = new SWFSprite();
$p->add($b);
$p->nextFrame();

$swf = new SWFMovie();
$swf->setDimension(504, 501);

$i = $swf->add($p);
$i->setName('test');
$i->moveTo(100,100);

$swf->nextframe();
$swf->add($img);  #this will create a shape with perfect proportions and fills it

header('Content-type: application/x-shockwave-flash');
$swf->output();

?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-09 06:27 UTC] derick@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
 [2002-07-09 08:56 UTC] derick@php.net 
Reproduced with backtrace which shows the bug is clearly in the ming library:

Program received signal SIGSEGV, Segmentation fault.
0x40187014 in SWFInput_buffer_getChar (input=0x830a468) at input.c:165
165 return ((unsigned char *)input->data)[input->offset++];
(gdb) bt
#0  0x40187014 in SWFInput_buffer_getChar (input=0x830a468) at input.c:165
#1  0x40186b98 in SWFInput_getChar (input=0x830a468) at input.c:16
#2  0x401875eb in methodWriteJpegFile (input=0x830a468,
    method=0x814cd5c <phpByteOutputMethod>, data=0x0) at jpeg.c:89
#3  0x40187805 in writeSWFJpegBitmapToMethod (block=0x83905d0,
    method=0x814cd5c <phpByteOutputMethod>, data=0x0) at jpeg.c:181
#4  0x401844e9 in writeSWFBlockToMethod (block=0x83905d0,
    method=0x814cd5c <phpByteOutputMethod>, data=0x0) at block.c:87
#5  0x40172af8 in SWFBlockList_writeBlocksToMethod (list=0x8392010,
    method=0x814cd5c <phpByteOutputMethod>, data=0x0) at blocklist.c:78
#6  0x40171f12 in SWFMovie_output (movie=0x8391ff0,
    method=0x814cd5c <phpByteOutputMethod>, data=0x0) at movie.c:262
#7  0x0814cdae in zif_swfmovie_output (ht=0, return_value=0x83903e4,
    this_ptr=0x8391754, return_value_used=0)
    at /dat/dev/php/php-4.3.0dev/ext/ming/ming.c:1430
#8  0x080e1a8f in execute (op_array=0x838fb0c)
    at /dat/dev/php/php-4.3.0dev/Zend/zend_execute.c:1587
#9  0x407696e8 in xdebug_execute () from /dat/dev/php/xdebug/modules/xdebug.so
#10 0x080d2532 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-4.3.0dev/Zend/zend.c:810
#11 0x080ac1ae in php_execute_script (primary_file=0xbffff680)
    at /dat/dev/php/php-4.3.0dev/main/main.c:1388
#12 0x080e63b6 in apache_php_module_main (r=0x83894f4, display_source_mode=0)
---Type <return> to continue, or q <return> to quit---
    at /dat/dev/php/php-4.3.0dev/sapi/apache/sapi_apache.c:55
#13 0x0809d89c in send_php ()
#14 0x0809d8f5 in send_parsed_php ()
#15 0x0822b15f in ap_invoke_handler ()
#16 0x0823fd27 in process_request_internal ()
#17 0x0823fd88 in ap_process_request ()
#18 0x08236d31 in child_main ()
#19 0x08236edc in make_child ()
#20 0x08237050 in startup_children ()
#21 0x082376cc in standalone_main ()
#22 0x08237f3b in main ()
#23 0x4055d306 in __libc_start_main (main=0x8237b8c <main>, argc=2,
    ubp_av=0xbffffab4, init=0x807a28c <_init>, fini=0x824e660 <_fini>,
    rtld_fini=0x4000d2dc <_dl_fini>, stack_end=0xbffffaac)
    at ../sysdeps/generic/libc-start.c:129
(gdb)
(gdb) print input
$1 = 0x830a468
(gdb) print *input
$2 = {destroy = 0x40186de8 <SWFInput_dtor>,
  getChar = 0x40186ff0 <SWFInput_buffer_getChar>,
  seek = 0x4018703c <SWFInput_buffer_seek>,
  eof = 0x40187020 <SWFInput_buffer_eof>, offset = 0, length = 127684,
  data = 0x4079702c}
(gdb) print input.data
$3 = (void *) 0x4079702c
(gdb)
 [2002-07-09 09:23 UTC] derick@php.net 
Not a bug in PHP -> bogus
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 09:01:27 2024 UTC