php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19366 buggy GD scripts crashes PHP
Submitted: 2002-09-12 01:55 UTC Modified: 2002-09-29 09:54 UTC
From: honza at honza dot info Assigned:
Status: Closed Package: GD related
PHP Version: 4.2.3, 4.3.0-dev OS: linux mandrake 2.4.19-7mdk
Private report: No CVE-ID:
 [2002-09-12 01:55 UTC] honza at honza dot info
Hello,

well, this will be more tricky, as it doesn't happen on my local computer (win32), but the web-hosting server I use (and pay). I exchanged several e-mails with the administrator of the web-hosting service (www.pipni.cz) and it crashes:

mandrake 2.4.19-7mdk + PHP 4.2.3 completely, including apache
same on redhat
on slackware 8.1 + php 4.2.2 only the script crashed, not whole server.

Now to the script. I got this script from a Czech PHP course and there was a bug in the script. It creates a bitmap and then draws into the bitmap. The bug is the bitmap is too small, the coordinates used in draw and fill functions are beyond the size of the bitmap. And the fill functions that get the starting point outside of bitmap let it go down.

Here is the script:

<?php
$width = 50;
$height = 100;
$ImHandle = imagecreate($width,$height);
//Define colors
$MyBlue = imagecolorAllocate($ImHandle, 0, 0, 255);
$MyRed = imagecolorAllocate($ImHandle, 255, 0, 0);
$MyWhite = imagecolorAllocate($ImHandle, 255, 255, 255);
$MyBlack = imagecolorAllocate($ImHandle, 0, 0, 0);
//Draw
ImageFill($ImHandle,0,0,$MyBlack);
ImageLine($ImHandle,20,20,180,20,$MyWhite);
ImageLine($ImHandle,20,20,20,70,$MyBlue);
ImageLine($ImHandle,20,70,180,70,$MyRed);
ImageLine($ImHandle,180,20,180,45,$MyWhite);
ImageLine($ImHandle,180,70,180,45,$MyRed);
ImageLine($ImHandle,20,20,100,45,$MyBlue);
ImageLine($ImHandle,20,70,100,45,$MyBlue);
ImageLine($ImHandle,100,45,180,45,$MyRed);
ImageFill($ImHandle,21,45,$MyBlue);
ImageFill($ImHandle,100,69,$MyRed);
ImageFill($ImHandle,100,21,$MyWhite);
ImageString($ImHandle,4,40,75,"Czech Republic",$MyWhite);
// Send to browser
Header("Content-type: image/PNG");
ImagePNG($ImHandle);
//Free resources
imagedestroy($ImHandle);
?>

Take care

Honza

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-12 08:46 UTC] sander@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2002-09-26 20:14 UTC] sniper@php.net
Using latest CVS and the bundled GD library, I get this
segfault and backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x402b6678 in gdImageGetPixel (im=0x81e8ab8, x=50, y=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:828
828     }

#0  0x402b6678 in gdImageGetPixel (im=0x81e8ab8, x=50, y=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:828
#1  0x402b7b63 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1515
#2  0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#3  0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
#4  0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#5  0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
#6  0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#7  0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
#8  0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#9  0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
#10 0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#11 0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
#12 0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#13 0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
#14 0x402b7e71 in gdImageFill (im=0x81e8ab8, x=50, y=0, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1628
#15 0x402b7de1 in gdImageFill (im=0x81e8ab8, x=50, y=1, color=1) at /usr/src/web/php/php4/ext/gd/libgd/gd.c:1606
.
.
.

 [2002-09-29 09:54 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC