PHP :: Bug #66339 :: PHP segfaults in imagexbm

Bug #66339

PHP segfaults in imagexbm

Submitted:

2013-12-23 06:14 UTC

Modified:

2015-07-11 19:05 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

fernando at null-life dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

GD related

PHP Version:

5.5.7

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2013-12-23 06:14 UTC] fernando at null-life dot com

Description:
------------
I noticed a couple of wrongdoings (according to docs) in this imagexbm function:

- When passing null to the 2nd parameter (filename) PHP crashes.
- When passing a filename, the output stream is still sent to stdout.

http://www.php.net/manual/en/function.imagexbm.php

Test script:
---------------
<?php

$im = imagecreatetruecolor(20, 20);
imagexbm($im, null);

Expected result:
----------------
Show image on stdout since filename is null. 



Actual result:
--------------
(940.b24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=6ba09262 esp=00a6e604 ebp=00a6e608 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
MSVCR110!strrchr+0x3d:
6ba09262 f30f6f0f        movdqu  xmm1,xmmword ptr [edi] ds:002b:00000000=????????????????????????????????
0:000> k
ChildEBP RetAddr  
00a6e608 695eed56 MSVCR110!strrchr+0x3d
00a6e630 695d2933 php_gd2!php_gd_gdImageXbmCtx+0x16 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\libgd\xbm.c @ 181]
00a6e678 695d7ba8 php_gd2!_php_image_output_ctx+0x283 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\gd_ctx.c @ 171]
00a6e694 67c49971 php_gd2!zif_imagexbm+0x18 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\gd.c @ 2696]
00a6e6fc 67c49075 php5!zend_do_fcall_common_helper_SPEC+0x1b1 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 550]
00a6e738 67c6052b php5!execute_ex+0x295 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 363]
00a6e75c 67c60ede php5!zend_execute+0x14b [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 388]
00a6e790 67c61c7c php5!zend_execute_scripts+0xde [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend.c @ 1320]
00a6ea20 7749a1e0 php5!php_execute_script+0x14c [c:\php-sdk\php55\vc11\x86\php-5.5.7\main\main.c @ 2489]
00a6ea34 7749aa22 KERNELBASE!BasepInitializeFindFileHandle+0x59
00a6ed20 00a6ee1c KERNELBASE!FindFirstFileExW+0x532
WARNING: Frame IP not in any known module. Following frames may be wrong.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-12-29 09:53 UTC] krakjoe@php.net

-Assigned To: +Assigned To: helly

[2013-12-29 09:54 UTC] krakjoe@php.net

Assigned to the person who wrote the source, hopefully they'll have some insight ...

[2015-07-11 18:16 UTC] cmb@php.net

-Assigned To: helly +Assigned To: cmb

[2015-07-11 18:16 UTC] cmb@php.net

The problem is in _php_image_output_ctx()[1], where the different
ZPP for XBM images is not fully taken into account.

[1] <https://github.com/php/php-src/blob/PHP-5.6.11/ext/gd/gd_ctx.c#L77>

[2015-07-11 19:03 UTC] cmb@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c40f40656e49cf7006dfa7e8f0db5b3d0d286045
Log: Fix #66339: PHP segfaults in imagexbm

[2015-07-11 19:03 UTC] cmb@php.net

-Status: Assigned +Status: Closed

[2015-07-11 19:04 UTC] cmb@php.net

The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.

[2015-07-11 19:05 UTC] cmb@php.net

-Operating System: Windows +Operating System: *

[2015-07-21 14:21 UTC] ab@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c40f40656e49cf7006dfa7e8f0db5b3d0d286045
Log: Fix #66339: PHP segfaults in imagexbm

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 23:01:29 2024 UTC