php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43121 gdImageFill with IMG_COLOR_TILED crashes httpd
Submitted: 2007-10-28 20:42 UTC Modified: 2007-11-05 11:56 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: carlosp at ravenna dot com Assigned: mattias
Status: Closed Package: GD related
PHP Version: 5.2.5RC1 OS: FreeBSD 6.2
Private report: No CVE-ID:
 [2007-10-28 20:42 UTC] carlosp at ravenna dot com
Description:
------------
Filling an image with a pattern causes httpd segmentation fault.  It is 
reproducible, but it does depend on the image dimensions.  Version 5.2.3 
works fine, so something changed as of 5.2.4, and still fails in 
5.2.5RC1.

Reproduce code:
---------------
$im = ImageCreate( 200, 100 );
$black = ImageColorAllocate( $im, 0, 0, 0 );

$im_tile = ImageCreateFromGif( "transback.gif" );
ImageSetTile( $im, $im_tile );
ImageFill( $im, 0, 0, IMG_COLOR_TILED );

header( "Content-type: image/gif" );
ImageGif( $im );
ImageDestroy( $im );

Expected result:
----------------
A 200x100 image filled with the specified pattern.  

BTW, the pattern itself is unremarkable, it fails with several different 
files I've tried. transback.gif above is a 64x64 from 
http://www.blueknot.com/CSS/TRANSBACK.gif

If you change the image dimensions to 100x100, it will work.  101x100 
does not!

I've also made it fail using gdImageFilledRectangle and particular 
rectangle dimensions to fill, but was unable to find a correlation. So 
the code above is the simplest example of the failure.

Actual result:
--------------
Safari reports the server suddenly dropped connection.  Running httpd 
-X 
yields "Segmentation fault" when I execute the above script.

Even though I followed the instructions to the letter and tried both 
httpd -X and through gdb, I am unable to produce a core dump or 
backtrace...sorry.  (The gdb method fails immediately upon startup 
with 
"gdb in realloc(): error: pointer to wrong page" but I believe that is 
unrelated because 5.2.3 also gives me that error when I attempt to run 
it through gdb),

My server is a practically fresh FreeBSD 6.2 install, and I'm using 
the bundled GD library.  This is my configuration command:

./configure --with-mysql --with-mysqli --with-
apxs=/usr/local/apache/bin/apxs --with-gd --with-zlib --with-png-
dir=/usr/local --with-jpeg-dir=/usr/local --enable-debug







Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-28 22:08 UTC] pajoye@php.net
It is weird, nothing in the imagefill code changed between 5.2.4 and 5.2.5RC.

Can you provide a backtrace please?
 [2007-10-28 22:34 UTC] pajoye@php.net
Assign to Mattias, he will take a look at what I broke since 5.2.3 :)
 [2007-10-28 22:57 UTC] scottmac@php.net
[Switching to Thread -1208927680 (LWP 19371)]
0x0814d151 in php_gd__gdImageFillTiled (im=0xa3efeec, x=0, y=16843101, nc=2)
    at /usr/local/src/php5.2-200710150630/ext/gd/libgd/gd.c:2083
2083                    for (x=x1; x>=0 && (!pts[y + x*wx2] && gdImageGetPixel(im,x,y)==oc); x--) {
(gdb) bt full
#0  0x0814d151 in php_gd__gdImageFillTiled (im=0xa3efeec, x=0, y=16843101, 
    nc=2) at /usr/local/src/php5.2-200710150630/ext/gd/libgd/gd.c:2083
        l = 102
        x1 = 0
        x2 = 99
        dy = 1
        oc = 0
        tiled = 1
        wx2 = 200
        wy2 = 100
        stack = (struct seg *) 0xa4080d4
        sp = (struct seg *) 0xa408294
        pts = 0xa403284 '\001' <repeats 13 times>
#1  0x0814ca2e in php_gd_gdImageFill (im=0xa3efeec, x=0, y=0, nc=-5)
    at /usr/local/src/php5.2-200710150630/ext/gd/libgd/gd.c:1972
        l = 0
        x1 = 84
        x2 = 84
        dy = 20
        oc = 171900652
        wx2 = -1076818088
        wy2 = 9
        alphablending_bak = 0
        stack = (struct seg *) 0x0
        sp = (struct seg *) 0x4
#2  0x08141f69 in zif_imagefill (ht=4, return_value=0xa3fd9d0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0xa254050)
    at /usr/local/src/php5.2-200710150630/ext/gd/gd.c:3612
        IM = (zval **) 0xa3e2ea8
        x = (zval **) 0xa3e2eac
        y = (zval **) 0xa3e2eb0
        col = (zval **) 0xa3e2eb4
        im = (gdImagePtr) 0xa3efeec

From a build last week that I had, I can't reproduce on 2.1.0 here.
 [2007-10-29 02:13 UTC] carlosp at ravenna dot com
For what it's worth, I first experienced a similar segfault on my Mac OS 
X version (5.2.4 Liyanage/Entropy package).  I moved my script to my 
FreeBSD box running older 5.1.4 and the problem went away.  I was ready 
to dismiss it until it manifested itself on another server with the 
fresh 5.2.4 install.  Further troubleshooting revealed it was still 
failing on 5.2.5RC1 but not 5.2.3.

If necessary, I'll figure out how to test a CVS version, let me know.
 [2007-11-04 23:58 UTC] mattias@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-11-05 11:56 UTC] carlosp at ravenna dot com
I confirmed the bug fix in 5.2-dev snapshot.  Thank you!
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Mar 27 22:02:22 2015 UTC