php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39508 bus error or segmentation fault when using gd functions
Submitted: 2006-11-14 08:53 UTC Modified: 2006-12-10 02:08 UTC
From: phpbug at macfreek dot nl Assigned: pajoye
Status: Closed Package: GD related
PHP Version: 5.2.0 OS: Mac OS 10.4.8 (Darwin 8.8.0)
Private report: No CVE-ID:
 [2006-11-14 08:53 UTC] phpbug at macfreek dot nl
Description:
------------
I got a nasty, but reproducible, crasher.

I have a moderately long (~200 lines, no includes) piece of code that works fine on my Intel Mac with PHP 5.1.6, but crashes on my G5 Mac with PHP 5.2.0

The crashing line is:
print $brush;
with $brush a resurce object created with imagecreatetruecolor() (and not destroyed with imagedestroy() yet).

The crash is a ~3 second pauze followed by either by a bus error or a segmentation fault.

Reproduce code:
---------------
My code is available fr now at http://www.macfreek.nl/temp/gd-crasher.phps

However, this bug is notoriously hard to isolate. For one thing, the end of the file contains an unused function with nothing but bogus statements ($abc = 'xxxxx';). If I removed this function, the code no longer crashes.

I _assume_ that there is buffer overflow somewhere, resulting in random memory being executed. At least that may explain why the removal of an unused function alters the behavior. This may also explain why it runs fine on the Intel, but that may be also because the different PHP version.

The most suspect functions I use are:
imagecreatetruecolor() -- creates a Resource
imagesetbrush() -- uses a resource internally, has some comments on imagedestroy().

So far I removed other suspect code (e.g. imagettfbbox(), imagettftext() and all usage of external files) and trimmed the code down from 500 to 200 lines. However, I have a hard time to narrow it even further.

Since I suspect  that it is hard to reproduce on other machines, please advise how to proceed. Should I compile 5-CVS, use --enable-debug? (If so, please give a pointers, I usually use a package manager for installation and this is the first time I use gdb).

Expected result:
----------------
Either a Fatal error blaming my buggy code, or a normal result, like I see on the Intel with PHP 5.1.6.

Actual result:
--------------
(gdb) run gd-crasher.php
Starting program: /opt/local/bin/php gd-crasher.php
Reading symbols for shared libraries ...++++++..................................................................++++++...+++++ done
Reading symbols for shared libraries .. done
Creating image
  Drawing calender bar
  -> Brushes = array( )
  Drawing clock
  -> Brushes = array( )
  -> Brushes = array( Resource id #5, )
  -> Brushes = array( Resource id #5, )
  -> Brushes = array( Resource id #5, 
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0004000c
0x0044dbec in zend_mm_remove_from_free_list ()
(gdb) bt
#0  0x0044dbec in zend_mm_remove_from_free_list ()
#1  0x0044edbc in _zend_mm_free_int ()
#2  0x0044f848 in _efree ()
#3  0x00473eb0 in _zval_dtor_func ()
#4  0x004a1994 in _zval_dtor ()
#5  0x004b2b6c in ZEND_ECHO_SPEC_TMP_HANDLER ()
#6  0x004b2c10 in ZEND_PRINT_SPEC_TMP_HANDLER ()
#7  0x004a3470 in execute ()
#8  0x004a3d04 in zend_do_fcall_common_helper_SPEC ()
#9  0x004a4b88 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
#10 0x004a3470 in execute ()
#11 0x004a3d04 in zend_do_fcall_common_helper_SPEC ()
#12 0x004a4b88 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
#13 0x004a3470 in execute ()
#14 0x00476cd8 in zend_execute_scripts ()
#15 0x0040deb0 in php_execute_script ()
#16 0x005132a4 in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-14 08:59 UTC] phpbug at macfreek dot nl
Here is my full config, listing the output of 
php -v, gd_info(), phpinfo(), port installed gd2, pecl list-all:
http://www.macfreek.nl/temp/gd-crasher-php-config.txt
 [2006-11-14 13:46 UTC] pajoye@php.net
The problem was imagefill in setroundbrush. Please try using CVS (5.2) or snapshots.

Small reproduce script:
$brushsize_w = 3;
$brushsize_h = 1;
$brush = imagecreatetruecolor($brushsize_w,$brushsize_h);
$bgcolor = imagecolorallocatealpha($brush,255, 255, 0, 0);
imagefill($brush,0,0,$bgcolor);
imagepng($brush, 'a.png');


Some comments, why are you drawing an ellipse arc in a 2x2 image (in setroundbrush)? :)
 [2006-11-14 16:54 UTC] phpbug at macfreek dot nl
First of all - thank for the very fast reply. Much appreciated.

Your analysis seems correct.
- When upgrading to 5.2.0 (stable) on the Intel, I also got crashes.
- When replacing imagefill with imagefillrectangle, I don't experience crashes anymore
- However, your example script finished just fine. But that doesn't say much if the error is corrupt memory.

In addition, you resolution seems correct too. I just downloaded the CVS version of 5.2.0 (I only noticed later therer are also snapshots, doh).
With using the imagefill() function:
php5.2.0-stable: crashes
php5.2.0-cvs: works fine

Oh, as for the 2x2 pixel brush. That surely must seem ridiculous ;-). I draw a clock (you figured) for a small time-lapse image sequence. I thought the hour indicator looked "blocky" on the outer end when using imagesetthickness(), so I figured I better use a round brush. It does make a small (but noticable) difference for the 3x3 brush. Actually I first scaled it up 400% and made sure it looked good, than scaled down and forgot that 2x2 doesn't make sense. :-)

Finally -- out of curiousity. How did you narrow this down? I'm interested, so I may be able to give more focussed bug reports next time.
 [2006-11-17 12:52 UTC] pajoye@php.net
"Finally -- out of curiousity. How did you narrow this down? I'minterested, so I may be able to give more focussed bug reports next time."

I first find where the segfault occurs in your script. It was in your brush function which only works on the brush images. that means all the other operations on the final image are irrelevant :)

I will close the bug once I added a test case and MFB the fix to HEAD:
 [2006-12-10 02:08 UTC] pajoye@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 13:01:59 2014 UTC