php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65060 imagecreatefrom... crashes with user streams
Submitted: 2013-06-19 08:08 UTC Modified: 2013-06-21 15:23 UTC
From: thekid@php.net Assigned: thekid
Status: Closed Package: GD related
PHP Version: 5.5.0RC3 OS: gentoo
Private report: No CVE-ID:
 [2013-06-19 08:08 UTC] thekid@php.net
Description:
------------
When loading images via any of the imagecreatefrom...() functions and the argument given to them resolves to a userstream, a segmentation fault occurs on Linux systems (Travis CI's Linux image, 3.2.9-gentoo). With PHP 5.4, the same code works as expected. On Windows, the same code works as expected.

See https://github.com/xp-framework/xp-framework/issues/310

Test script:
---------------
<?php
class userstream {
  public static $bytes= array();

  public function stream_open($path, $mode, $options, $opened_path) {
    sscanf($path, 'iostrr://%s', $file);
    if (!isset(self::$bytes[$file])) return false;
    $this->buffer= self::$bytes[$file];
    $this->avail= strlen($this->buffer);
    $this->length= strlen($this->buffer);
    return true;
  }

  public function stream_read($count) {
    $chunk= substr($this->buffer, 0, min($this->avail, $count));
    $this->buffer= substr($this->buffer, strlen($chunk));
    $this->avail-= strlen($chunk);
    return $chunk;
  }

  public function stream_stat() {
    return array('size' => $this->length);
  }

  public function stream_eof() {
    return $this->avail <= 0;
  }

  public function stream_close() {
    $this->avail= -1;
  }
}

userstream::$bytes['test.gif']= base64_decode('R0lGODdhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=');
stream_wrapper_register('iostrr', 'userstream');

var_dump(imagecreatefromgif('iostrr://test.gif'));


Expected result:
----------------
resource(6) of type (gd)

Actual result:
--------------
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x00005555558b2d77 in _php_stream_seek (stream=0x7fffefc6d6b0, offset=-1, whence=1)
    at /home/friebe/php/php-src/main/streams/streams.c:1273
1273                    fflush(stream->stdiocast);
(gdb) bt
#0  0x00005555558b2d77 in _php_stream_seek (stream=0x7fffefc6d6b0, offset=-1, whence=1)
    at /home/friebe/php/php-src/main/streams/streams.c:1273
#1  0x00005555558b4fa0 in stream_cookie_seeker (cookie=<optimized out>, position=0x7fffff7ff458,
    whence=<optimized out>) at /home/friebe/php/php-src/main/streams/cast.c:117
#2  0x00007ffff6571fb6 in ?? () from /lib64/libc.so.6
#3  0x00007ffff657d1e5 in _IO_file_sync () from /lib64/libc.so.6
#4  0x00007ffff65718e1 in fflush () from /lib64/libc.so.6


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-19 08:35 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2013-06-19 08:35 UTC] pajoye@php.net
g:\php-sdk\php-master\vc11\x86\php-src-clean>g:\temp\5.5.0rc3-nts\php -d 
extension_dir=g:\temp\5.5.0rc3-nts\ext\ -d extension=php_gd2.dll 65060.php

Warning: imagecreatefromgif(): userstream::stream_cast is not implemented! in 
G:\php-sdk\php-master\vc11\x86\php-src-clean\65060.php on line 38
resource(7) of type (gd)

do you use system's gd or bundled one? Can you try with the bundled one please 
(if system's is used).

Which Distro do you use?
 [2013-06-19 08:38 UTC] pajoye@php.net
-Operating System: Linux +Operating System: gentoo
 [2013-06-19 08:38 UTC] pajoye@php.net
should have read more carefully :)

So only the system or bundled gd question remains :)
 [2013-06-19 09:00 UTC] thekid@php.net
> system or bundled gd question remains

friebe@xpsrv ~/php/php-src $ ./sapi/cli/php -i|grep -i gd
Configure Command =>  './configure'  '--with-gd'
gd
GD Support => enabled
GD Version => bundled (2.1.0 compatible)
gd.jpeg_ignore_warning => 0 => 0
 [2013-06-19 09:03 UTC] thekid@php.net
-Status: Feedback +Status: Open
 [2013-06-21 05:31 UTC] pajoye@php.net
==5774== Memcheck, a memory error detector
==5774== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==5774== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright 
info
==5774== Command: ./sapi/cli/php stream.php
==5774== 
==5774== Stack overflow in thread 1: can't grow stack to 0xbe2c6d8c

weird.
 [2013-06-21 05:37 UTC] pajoye@php.net
Program received signal SIGSEGV, Segmentation fault.
0x081d7e6e in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
1273			fflush(stream->stdiocast);
 [2013-06-21 05:38 UTC] pajoye@php.net
and the bt, which confirms an infinite loop there:

(gdb) bt
#0  0x081d7e6e in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
#1  0x081da09e in stream_cookie_seeker (cookie=0xb7d60efc, position=0xbf800044, 
whence=1) at /home/pierre/repo/phpgit/php-src-clean/main/streams/cast.c:109
#2  0xb7df9e99 in _IO_cookie_seek (fp=0x84f4420, offset=-1, dir=1) at 
iofopncook.c:87
#3  0xb7e054ae in _IO_new_file_sync (fp=0x84f4420) at fileops.c:913
#4  0xb7df9810 in _IO_fflush (fp=0x84f4420) at iofflush.c:43
#5  0x081d7e76 in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
#6  0x081da09e in stream_cookie_seeker (cookie=0xb7d60efc, position=0xbf8004e0, 
whence=1) at /home/pierre/repo/phpgit/php-src-clean/main/streams/cast.c:109
#7  0xb7df9e99 in _IO_cookie_seek (fp=0x84f4420, offset=-1, dir=1) at 
iofopncook.c:87
#8  0xb7e054ae in _IO_new_file_sync (fp=0x84f4420) at fileops.c:913
#9  0xb7df9810 in _IO_fflush (fp=0x84f4420) at iofflush.c:43
#10 0x081d7e76 in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
#11 0x081da09e in stream_cookie_seeker (cookie=0xb7d60efc, position=0xbf80097c, 
whence=1) at /home/pierre/repo/phpgit/php-src-clean/main/streams/cast.c:109
#12 0xb7df9e99 in _IO_cookie_seek (fp=0x84f4420, offset=-1, dir=1) at 
iofopncook.c:87
#13 0xb7e054ae in _IO_new_file_sync (fp=0x84f4420) at fileops.c:913
...
 [2013-06-21 12:11 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fc898ee0f94ee3686aa1f359d4a973d5e8e1754b
Log: Fixed Bug #65060 imagecreatefrom... crashes with user streams Fixed Bug #65084 imagecreatefromjpeg fails with URL
 [2013-06-21 12:11 UTC] remi@php.net
-Status: Open +Status: Closed
 [2013-06-21 15:23 UTC] thekid@php.net
-Assigned To: +Assigned To: thekid
 [2013-06-21 15:23 UTC] thekid@php.net
Verified, thanks!
 [2013-06-23 22:25 UTC] stas@php.net
It'd be nice also to include a test for the fix.
 [2013-11-17 09:30 UTC] laruence@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fc898ee0f94ee3686aa1f359d4a973d5e8e1754b
Log: Fixed Bug #65060 imagecreatefrom... crashes with user streams Fixed Bug #65084 imagecreatefromjpeg fails with URL
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 01:01:59 2014 UTC