php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #24455 imagettfbbox and ImageTTFText cause Apache2 segfault (bug #23122 not solved?)
Submitted: 2003-07-02 03:56 UTC Modified: 2015-03-23 19:43 UTC
Votes:8
Avg. Score:4.2 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:1 (25.0%)
From: babansky at mail dot ru Assigned:
Status: Not a bug Package: GD related
PHP Version: 4CVS-2003-07-02 (stable) OS: Suse 8.2 with Apache2
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2003-07-02 03:56 UTC] babansky at mail dot ru 
Description:
------------
If PHP is configured with an external GD library like:

./configure --prefix=/usr/local/apache/PHP --with-apxs2=/usr/local/apache/bin/apxs --enable-debug --enable-track-vars --enable-bcmath --enable-exif --enable-ftp --with-curl=/usr --with-mysql=/usr --with-zlib=/usr  --with-gd=/usr --with-tiff-dir=/usr --with-jpeg-dir=/usr  --with-png-dir=/usr --with-freetype-dir=/usr/inlude/freetype2 --enable-gd-native-ttf --enable-sysvsem=yes --enable-sysvshm=yes

and you try to generate images (jpg, png, etc and call the script more than once, it crashes usually on second time.

Note: this problem is related to external GD library (in my case GD-2.015). I didn't see the problem with PHP bundled GD. Also this problem is related to imagettfbbox and ImageTTFText functions

Reproduce code:
---------------
<?php
  Header("Content-type: image/png");
  Header(" Content-Disposition: inline");
  $font = "TTF/tt1.ttf";
  if(!isset($s)) $s=26;
  if(!isset($pre)) $pre=0;
  if(!isset($text)) $text="Some text";
  $size = ($s,0,$font,$text);
  $dx = abs($size[2]-$size[0]);
  $dy = abs($size[5]-$size[3]);
  $xpad=16;
  $ypad=16;
  $im = imagecreate($dx+$xpad+$pre,$dy+$ypad);
  $blue = ImageColorAllocate($im, 119,162,193);
  $black = ImageColorAllocate($im, 0,0,0);
  $white = ImageColorAllocate($im, 255,255,255);
  ImageTTFText($im, $s, 0, (int)($xpad/2)+$pre+1, $dy+(int)($ypad/2), $black, "$font", $text);
  ImageTTFText($im, $s, 0, (int)($xpad/2)+$pre, $dy+(int)($ypad/2)-1, $white, "$font", $text);
  Imagepng($im);
  ImageDestroy($im);
?> 


Expected result:
----------------
just a single button-like image

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0xbdca7840 in ?? ()
(gdb) bt
#0  0xbdca7840 in ?? ()
#1  0x40577a49 in gdImageStringFTEx (im=0x0, brect=0xbfffc220, fg=-1,
    fontlist=0x405006a0 "/proba-php/php4-STABLE-200307020730/main/php_variables.c", ptsize=26, angle=0, x=-1, y=-1,
    string=0x81ac3dc "Some text", strex=0x0) at gdft.c:856
#2  0x405778f4 in gdImageStringFT (im=0x0, brect=0xbfffc220, fg=-1, fontlist=0x81ac114 "TTF/tt1.ttf", ptsize=26, angle=0,
    x=-1, y=-1, string=0x81ac3dc "Some text") at gdft.c:784
#3  0x403e34f7 in php_imagettftext_common (ht=4, return_value=0x81ac45c, this_ptr=0x0, return_value_used=1, mode=1,
    extended=0) at /proba-php/php4-STABLE-200307020730/ext/gd/gd.c:3059
#4  0x403e2997 in zif_imagettfbbox (ht=4, return_value=0x81ac45c, this_ptr=0x0, return_value_used=1)
    at /proba-php/php4-STABLE-200307020730/ext/gd/gd.c:2939
#5  0x404da19a in execute (op_array=0x81ae02c) at /proba-php/php4-STABLE-200307020730/Zend/zend_execute.c:1616
#6  0x404c8d16 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /proba-php/php4-STABLE-200307020730/Zend/zend.c:886
#7  0x40492aa6 in php_execute_script (primary_file=0xbffff1f0) at /proba-php/php4-STABLE-200307020730/main/main.c:1685
#8  0x404e0064 in php_handler (r=0x8210470) at /proba-php/php4-STABLE-200307020730/sapi/apache2handler/sapi_apache2.c:525
#9  0x08095956 in ap_run_handler (r=0x8210470) at config.c:195
#10 0x08095f38 in ap_invoke_handler (r=0x8210470) at config.c:401
#11 0x0808438d in ap_process_request (r=0x8210470) at http_request.c:288
#12 0x0807ff69 in ap_process_http_connection (c=0x81a0260) at http_core.c:293
#13 0x0809f9e6 in ap_run_process_connection (c=0x81a0260) at connection.c:85
#14 0x0809432d in child_main (child_num_arg=-1073757664) at prefork.c:696
#15 0x0809446e in make_child (s=0x80dce50, slot=0) at prefork.c:736
#16 0x0809454f in startup_children (number_to_start=5) at prefork.c:808
#17 0x08094c09 in ap_mpm_run (_pconf=0x8093b00, plog=0x81120b8, s=0x5) at prefork.c:1024
#18 0x0809a039 in main (argc=2, argv=0xbffff4d4) at main.c:660
#19 0x402708ae in __libc_start_main () from /lib/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-02 04:10 UTC] derick@php.net 
Then use the bundled one... it has more bugs fixed any way.
 [2003-07-02 04:56 UTC] babansky at mail dot ru 
The bundled one doesn't have gif support that i need and as you probably know on June 20, 2003 the well-known Unisys LZW patent expired (only in the USA and Canada though)
I'm using GD-2.0.15 (the latest) with gif patch from http://www.rime.com.au/gd/
 [2003-07-02 14:53 UTC] babansky at mail dot ru 
I just tried to compile GD 2.0.15 with PHP 4.2.3 and it works. Obviously the problem is not in GD
 [2011-01-01 21:10 UTC] jani@php.net
-Type: Feature/Change Request +Type: Bug -Package: Feature/Change Request +Package: GD related
 [2015-03-23 19:43 UTC] cmb@php.net
-Status: Open +Status: Not a bug
 [2015-03-23 19:43 UTC] cmb@php.net 
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 20:01:31 2024 UTC