php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34042 Crash in imagettftext due to type overflow.
Submitted: 2005-08-08 20:49 UTC Modified: 2005-08-09 23:17 UTC
From: php at fiddaman dot net Assigned:
Status: Closed Package: GD related
PHP Version: 5.0.4 OS: Solaris 9
Private report: No CVE-ID: None
 [2005-08-08 20:49 UTC] php at fiddaman dot net
Description:
------------
Same problem as bug #32893 (which was for PHP4).
zend_parse_va_args is called with a template of "l" but a pointer to int which isn't large enough to hold the result.

A patch which fixes this.

--- ext/gd/gd.c~        2005-05-01 11:36:21.134419000 +0000
+++ ext/gd/gd.c 2005-05-01 11:42:37.369849000 +0000
@@ -3017,7 +3017,8 @@
 {
        zval *IM, *EXT = NULL;
        gdImagePtr im=NULL;
-       int col = -1, x = -1, y = -1, str_len, fontname_len, i,
brect[8];
+       long col = -1, x = -1, y = -1;
+       int str_len, fontname_len, i, brect[8];
        double ptsize, angle;
        unsigned char *str = NULL, *fontname = NULL;
        char *error = NULL;

Reproduce code:
---------------
<?php
        $img = imagecreate(400, 70);
        imagettftext($img, 11/81*64, 0, 0, 27, 0, "/dev/null", "test");
?>

Actual result:
--------------
251                                                     *p = Z_LVAL_PP(arg);
(gdb) where
#0  0x0000000100229e54 in zend_parse_va_args (num_args=4,
    type_spec=0x1002e4db3 "lllss|a", va=0xffffffff7fffea18, flags=0)
    at /spool/src/build/php-5.0.4/Zend/zend_API.c:251
#1  0x000000010022ac28 in zend_parse_parameters (num_args=8,
    type_spec=0x1002e4db0 "rddlllss|a")
    at /spool/src/build/php-5.0.4/Zend/zend_API.c:571
#2  0x000000010008f730 in php_imagettftext_common (ht=8,
    return_value=0x100796328, this_ptr=0x0, return_value_used=0, mode=0,
    extended=0) at /spool/src/build/php-5.0.4/ext/gd/gd.c:3134
#3  0x0000000100260468 in zend_do_fcall_common_helper (
    execute_data=0xffffffff7fffef80, opline=0x10079d5a8, op_array=0x100798c08)
    at /spool/src/build/php-5.0.4/Zend/zend_execute.c:2727
#4  0x00000001002608d8 in zend_do_fcall_handler (
    execute_data=0xffffffff7fffef80, opline=0x10079d5a8, op_array=0x100798c08)
    at /spool/src/build/php-5.0.4/Zend/zend_execute.c:2859
#5  0x000000010024ddec in execute (op_array=0x100798c08)
    at /spool/src/build/php-5.0.4/Zend/zend_execute.c:1406
#6  0x00000001002291f0 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /spool/src/build/php-5.0.4/Zend/zend.c:1069
#7  0x00000001001e8f90 in php_execute_script (primary_file=0xffffffff7ffffa80)
    at /spool/src/build/php-5.0.4/main/main.c:1632
#8  0x000000010026adb8 in main (argc=1, argv=0xffffffff7ffffb88)
    at /spool/src/build/php-5.0.4/sapi/cli/php_cli.c:946


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-08 20:56 UTC] tony2001@php.net
It was fixed in 5.x even before 4.x.
 [2005-08-08 21:20 UTC] php at fiddaman dot net
That doesn't make sense as my newly compiled 5.0.4 was crashing at the same place, and modifying gd.c fixed it.

The back-trace I've posted below is from the 5.0.4 binary and the code in ext/gd/gd.c as distributed definitely defines col, x, y as int instead of long.

I'm using a 64-bit architecture so sizeof(int) != sizeof(long)..
 [2005-08-08 22:43 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-08-09 23:17 UTC] php at fiddaman dot net
That snapshot works fine, thanks.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Jul 06 07:05:46 2022 UTC