php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66339 PHP segfaults in imagexbm
Submitted: 2013-12-23 06:14 UTC Modified: 2015-07-11 19:05 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: fernando at null-life dot com Assigned: cmb
Status: Closed Package: GD related
PHP Version: 5.5.7 OS: *
Private report: No CVE-ID:
 [2013-12-23 06:14 UTC] fernando at null-life dot com
Description:
------------
I noticed a couple of wrongdoings (according to docs) in this imagexbm function:

- When passing null to the 2nd parameter (filename) PHP crashes.
- When passing a filename, the output stream is still sent to stdout.

http://www.php.net/manual/en/function.imagexbm.php

Test script:
---------------
<?php

$im = imagecreatetruecolor(20, 20);
imagexbm($im, null);

Expected result:
----------------
Show image on stdout since filename is null. 



Actual result:
--------------
(940.b24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=6ba09262 esp=00a6e604 ebp=00a6e608 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
MSVCR110!strrchr+0x3d:
6ba09262 f30f6f0f        movdqu  xmm1,xmmword ptr [edi] ds:002b:00000000=????????????????????????????????
0:000> k
ChildEBP RetAddr  
00a6e608 695eed56 MSVCR110!strrchr+0x3d
00a6e630 695d2933 php_gd2!php_gd_gdImageXbmCtx+0x16 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\xbm.c @ 181]
00a6e678 695d7ba8 php_gd2!_php_image_output_ctx+0x283 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\gd_ctx.c @ 171]
00a6e694 67c49971 php_gd2!zif_imagexbm+0x18 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\gd.c @ 2696]
00a6e6fc 67c49075 php5!zend_do_fcall_common_helper_SPEC+0x1b1 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 550]
00a6e738 67c6052b php5!execute_ex+0x295 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 363]
00a6e75c 67c60ede php5!zend_execute+0x14b [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 388]
00a6e790 67c61c7c php5!zend_execute_scripts+0xde [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend.c @ 1320]
00a6ea20 7749a1e0 php5!php_execute_script+0x14c [c:\php-sdk\php55\vc11\x86\php-5.5.7\main\main.c @ 2489]
00a6ea34 7749aa22 KERNELBASE!BasepInitializeFindFileHandle+0x59
00a6ed20 00a6ee1c KERNELBASE!FindFirstFileExW+0x532
WARNING: Frame IP not in any known module. Following frames may be wrong.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-29 09:53 UTC] krakjoe@php.net
-Assigned To: +Assigned To: helly
 [2013-12-29 09:54 UTC] krakjoe@php.net
Assigned to the person who wrote the source, hopefully they'll have some insight ...
 [2015-07-11 18:16 UTC] cmb@php.net
-Assigned To: helly +Assigned To: cmb
 [2015-07-11 18:16 UTC] cmb@php.net
The problem is in _php_image_output_ctx()[1], where the different
ZPP for XBM images is not fully taken into account.

[1] <https://github.com/php/php-src/blob/PHP-5.6.11/ext/gd/gd_ctx.c#L77>
 [2015-07-11 19:03 UTC] cmb@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c40f40656e49cf7006dfa7e8f0db5b3d0d286045
Log: Fix #66339: PHP segfaults in imagexbm
 [2015-07-11 19:03 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2015-07-11 19:04 UTC] cmb@php.net
The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.
 [2015-07-11 19:05 UTC] cmb@php.net
-Operating System: Windows +Operating System: *
 [2015-07-21 14:21 UTC] ab@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c40f40656e49cf7006dfa7e8f0db5b3d0d286045
Log: Fix #66339: PHP segfaults in imagexbm
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 21:01:35 2017 UTC