PHP :: Bug #58823 :: reading one favicon image crashes apache

Bug #58823	reading one favicon image crashes apache
Submitted:	2009-08-21 20:44 UTC	Modified:	2009-08-25 12:46 UTC
From:	guozheng dot ge at gmail dot com	Assigned:
Status:	Closed	Package:	imagick (PECL)
PHP Version:	5.2.6	OS:	rhel-4.x
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	guozheng dot ge at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2009-08-21 20:44 UTC] guozheng dot ge at gmail dot com

Description:
------------
reading this favicon crashes apache server: 
http://www.japantravelinfo.com/favicon.ico

Please try it with the reproduce code.

Using PHP 5.2.6, Imagick 2.2.2RC1, ImageMagick 6.2.9 
12/17/07 Q16 

I think this is an ImageMagick bug, from strace, it is 
trying to write a temp magick-XXZDUO8a file into /tmp 
directory, but the file size is 336185 TB.

The same File size limit exceeded error is reported if you 
run command line "identify --verbose favicon.ico" too.

Is it possible to catch this error and throw an 
ImagickException so that we can catch this problem in the 
PHP code?

========== tail of strace ==========
stat64("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.la", {st_mode=S_IFREG|0755, st_size=939, 
...}) = 0
access("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.la", F_OK) = 0
open("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.la", O_RDONLY|O_LARGEFILE) = 11
fstat64(11, {st_mode=S_IFREG|0755, st_size=939, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fbf000
read(11, "# yuv.la - a libtool library fil"..., 4096) = 939
read(11, "", 4096)                      = 0
close(11)                               = 0
munmap(0xb7fbf000, 4096)                = 0
open("/usr/local/lib/yuv.a", O_RDONLY)  = -1 ENOENT (No such 
file or directory)
open("/home/y/lib/yuv.a", O_RDONLY)     = -1 ENOENT (No such 
file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 11
fstat64(11, {st_mode=S_IFREG|0644, st_size=43515, ...}) = 0
old_mmap(NULL, 43515, PROT_READ, MAP_PRIVATE, 11, 0) = 
0xb7f9d000
close(11)                               = 0
open("/lib/tls/i686/yuv.a", O_RDONLY)   = -1 ENOENT (No such 
file or directory)
open("/lib/tls/yuv.a", O_RDONLY)        = -1 ENOENT (No such 
file or directory)
open("/lib/i686/yuv.a", O_RDONLY)       = -1 ENOENT (No such 
file or directory)
open("/lib/yuv.a", O_RDONLY)            = -1 ENOENT (No such 
file or directory)
open("/usr/lib/tls/i686/yuv.a", O_RDONLY) = -1 ENOENT (No 
such file or directory)
open("/usr/lib/tls/yuv.a", O_RDONLY)    = -1 ENOENT (No such 
file or directory)
open("/usr/lib/sse2/yuv.a", O_RDONLY)   = -1 ENOENT (No such 
file or directory)
open("/usr/lib/yuv.a", O_RDONLY)        = -1 ENOENT (No such 
file or directory)
munmap(0xb7f9d000, 43515)               = 0
open("/usr/local/lib/ImageMagick-6.2.9/modules-
Q16/coders/yuv.so", O_RDONLY) = 11
read(11, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\16"...,
 
512) = 512
fstat64(11, {st_mode=S_IFREG|0755, st_size=12960, ...}) = 0
old_mmap(NULL, 15896, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 11, 0) = 0x163e000
old_mmap(0x1641000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 11, 0x2000) = 0x1641000
close(11)                               = 0
time(NULL)                              = 1250900828
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
times({tms_utime=26, tms_stime=5, tms_cutime=0, 
tms_cstime=0}) = 881559534
stat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=94208, 
...}) = 0
open("/tmp/magick-XXZDUO8a", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 11
_llseek(11, 0, [0], SEEK_END)           = 0
pwrite64(11, "\0", 1, 369639430836715519) = -1 EFBIG (File 
too large)
--- SIGXFSZ (File size limit exceeded) @ 0 (0) ---
+++ killed by SIGXFSZ +++
Process 14567 detached


========== gdb info =============
Program received signal SIGXFSZ, File size limit exceeded.
[Switching to Thread -1208936768 (LWP 13805)]
0x00826402 in __kernel_vsyscall ()
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) bt
#0  0x00826402 in __kernel_vsyscall ()
#1  0x006f3152 in pwrite64 () from /lib/tls/libpthread.so.0
#2  0x0197dd86 in SetImageVirtualPixelMethod () from 
/usr/local/lib/libMagick.so.10
#3  0x0197e8d4 in SetImageVirtualPixelMethod () from 
/usr/local/lib/libMagick.so.10
#4  0x0197eb5a in SetCacheNexus () from 
/usr/local/lib/libMagick.so.10
#5  0x0197fb29 in SetImagePixels () from 
/usr/local/lib/libMagick.so.10
#6  0x0197fa0a in SetImagePixels () from 
/usr/local/lib/libMagick.so.10
#7  0x019f8644 in SetImageStorageClass () from 
/usr/local/lib/libMagick.so.10
#8  0x019f873b in AllocateImageColormap () from 
/usr/local/lib/libMagick.so.10
#9  0x00d96667 in ?? () from /usr/local/lib/ImageMagick-
6.2.9/modules-Q16/coders/icon.so
#10 0x0885b480 in ?? ()
#11 0x00000010 in ?? ()
#12 0x00000000 in ?? ()
(gdb)

Reproduce code:
---------------
<?php
try
{
    $im = new Imagick();
    $im->setFormat('ico');

	//this crashed yapache and no Exception was thrown
    $content = file_get_contents('favicon-japantravel.ico'); 
    $im->readImageBlob($content);
    $im->flattenImages();
    $im->setFormat('png');
    header('Content-Type: image/png');
    header('Content-Length: ' . strlen($content));
    echo $content;
}
catch (Exception $ex)
{   
    header('Content-Type: text/plain');
    $content = 'error happened: ' . print_r($ex, true);
    header('Content-Length: ' . strlen($content));
    echo $content;
}
?>

Expected result:
----------------
I think the image is corrupted, but is it possible for Imagick 
to throw an Exception instead of silently crashing apache?

Actual result:
--------------
apache crashes

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-08-24 16:04 UTC] mkoppanen@php.net

Does this happen with newer ImageMagick / Imagick? 6.2.9 is a really old version of ImageMagick and there is not much I can help with that.

[2009-08-25 12:43 UTC] guozheng dot ge at gmail dot com

tried the latest ImageMagick and Imagick:

ImageMagick 6.5.2-0 2009-05-20 Q16
Imagick 2.3.0

the new version of Imagick can capture the Exception 
correctly, will try to upgrade my ImageMagick and Imagick

closing the bug and thanks for the feedback

[2009-08-25 12:46 UTC] guozheng dot ge at gmail dot com

upgrading imagick could catch the Exception

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 09:01:28 2024 UTC