php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60546 using bad GD color in __destruct crashes
Submitted: 2011-12-16 18:03 UTC Modified: 2018-08-26 16:56 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: bion at drewcrawfordapps dot com Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.4.0RC3 OS: Mac OS X 10.7.2
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-12-16 18:03 UTC] bion at drewcrawfordapps dot com
Description:
------------
Allocating a color with imagecolorallocate using null for the image, and calling 
die() causes a repeatable crash if the destructor attempts to use the bad color 
to render an image.

'./configure' '--prefix=/usr' '--mandir=/usr/share/man' '--
infodir=/usr/share/info' '--sysconfdir=/private/etc' '--with-
apxs2=/usr/sbin/apxs' '--enable-cli' '--with-config-file-path=/etc' '--with-
libxml-dir=/usr' '--with-openssl=/usr' '--with-kerberos=/usr' '--with-zlib=/usr' 
'--enable-bcmath' '--with-bz2=/usr' '--enable-calendar' '--with-curl=/usr' '--
enable-exif' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-
png-dir=/usr/local' '--enable-gd-native-ttf' '--with-ldap=/usr' '--with-ldap-
sasl=/usr' '--enable-mbstring' '--enable-mbregex' '--with-mysql=mysqlnd' '--
with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-mysql-
sock=/tmp/mysql.sock' '--with-iodbc=/usr' '--enable-shmop' '--with-snmp=/usr' '-
-enable-soap' '--enable-sockets' '--enable-sysvmsg' '--enable-sysvsem' '--
enable-sysvshm' '--with-xmlrpc' '--with-iconv-dir=/usr' '--with-xsl=/usr' '--
enable-zip' '--with-pcre-regex' '--disable-cgi' '--enable-debug' '--with-
freetype-dir=/usr/local' '--with-mcrypt' '--with-libedit'

$ diff php.ini.default php.ini
440c440
< max_execution_time = 30
---
> max_execution_time = 420
450c450
< max_input_time = 60
---
> max_input_time = 120
458c458
< memory_limit = 128M
---
> memory_limit = 1024M
531c531
< display_errors = Off
---
> display_errors = On
542c542
< display_startup_errors = Off
---
> display_startup_errors = On
604c604
< html_errors = Off
---
> html_errors = On
728c728
< post_max_size = 8M
---
> post_max_size = 20M
784c784
< ;include_path = ".:/php/includes"
---
> include_path = ".:/usr/lib/php"
879c879
< upload_max_filesize = 2M
---
> upload_max_filesize = 20M
977,978c977,978
< ; The MIBS data available in the PHP distribution must be installed. 
< ; See http://www.php.net/manual/en/snmp.installation.php 
---
> ; The MIBS data available in the PHP distribution must be installed.
> ; See http://www.php.net/manual/en/snmp.installation.php
998c998
< ;date.timezone =
---
> date.timezone = "America/Chicago"
1596c1596
< session.entropy_length = 0
---
> session.entropy_length = 20
1601c1601
< ; On windows, setting the entropy_length setting will activate the 
---
> ; On windows, setting the entropy_length setting will activate the
1603c1603
< ;session.entropy_file = /dev/urandom
---
> session.entropy_file = /dev/random
1634c1634
< session.hash_function = 0
---
> session.hash_function = 1
1901,1902c1901,1904
< ;xdebug.idekey="macgdbp"
< ;xdebug.remote_enable=1
---
> zend_extension=/usr/lib/php/extensions/no-debug-non-zts-20090626/xdebug.so
> xdebug.idekey="macgdbp"
> xdebug.remote_enable=On
> xdebug.default_enable=On

Test script:
---------------
<?php
    class Foo {
        protected $background;

        public function __construct() {
            $this->background = imagecolorallocate(null, 255, 255, 255);
        }

        public function __destruct() {
            $img = imagecreatetruecolor(50, 50);
            imagefill($img, 0, 0, $this->background);
            header('Content-type: image/png');
            imagepng($img);
        }
    }

    new Foo();
?>

Expected result:
----------------
Expected an error message, warning, magical success, or some other non-crashing 
result

Actual result:
--------------
Program received signal SIGABRT, Aborted.
0x00007fff900fe82a in __kill ()
(gdb) bt
#0  0x00007fff900fe82a in __kill ()
#1  0x00007fff8bc7aa9c in abort ()
#2  0x00007fff8bcd984c in free ()
#3  0x000000010172853f in php_request_shutdown (dummy=0x0) at main.c:1776
#4  0x00000001019bb67e in php_apache_request_dtor (r=0x100994aa0) at 
sapi_apache2.c:507
#5  0x00000001019bbf6f in php_handler (r=0x100994aa0) at sapi_apache2.c:679
#6  0x0000000100002551 in ap_run_handler ()
#7  0x00000001000030f6 in ap_invoke_handler ()
#8  0x000000010003daad in ap_process_request ()
#9  0x0000000100039723 in ap_process_http_connection ()
#10 0x0000000100019aa1 in ap_run_process_connection ()
#11 0x000000010001a081 in ap_process_connection ()
#12 0x0000000100046f53 in child_main ()
#13 0x0000000100047076 in make_child ()
#14 0x00000001000478b6 in ap_mpm_run ()
#15 0x000000010000d58d in main ()

Some relevant values from main.c around line 1776:
last_error_lineno = 0
last_error_message = -1031267392 = 
/Volumes/Users/Users/bion/Sites/test/index2.php
last_error_file = 6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-27 13:50 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2018-07-27 13:50 UTC] cmb@php.net
I can't reproduce this crash; instead I get the image. Can anybody
still reproduce this with an actively supported PHP version?
 [2018-08-26 16:56 UTC] cmb@php.net
-Status: Feedback +Status: No Feedback
 [2018-08-26 16:56 UTC] cmb@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Dec 03 04:03:33 2021 UTC