PHP :: Bug #66386 :: Segmentation fault on imageaffinematrixget

Bug #66386	Segmentation fault on imageaffinematrixget
Submitted:	2014-01-02 05:43 UTC	Modified:	2016-06-10 12:42 UTC
From:	fernando at null-life dot com	Assigned:	cmb (profile)
Status:	Duplicate	Package:	GD related
PHP Version:	5.5.7	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

[2014-01-02 05:43 UTC] fernando at null-life dot com

Description:
------------
There are two segfault/read access violation in the GD extension, first one I believe is caused by a missing RETURN_FALSE after php_error_docref in php-5.5.7\ext\gd\gd.c line 5211):

case GD_AFFINE_TRANSLATE:
case GD_AFFINE_SCALE: {
	double x, y;
	if (Z_TYPE_P(options) != IS_ARRAY) {
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Array expected as options");
		//RETURN_FALSE missing here
	}
	if (zend_hash_find(HASH_OF(options), "x", sizeof("x"), (void **)&tmp) //crash here

According to docs (http://www.php.net/manual/en/function.imageaffinematrixget.php ) second parameter can be optional and mixed but only seems to work when an Array is passed. Second segfault occurs when no 2nd parameter is passed.

Test script:
---------------
//Crash because 2nd parameter is not array
imageaffinematrixget(IMG_AFFINE_SCALE, 0);

//Crash because 2nd parameter doesn't exist
imageaffinematrixget(IMG_AFFINE_SCALE);


Expected result:
----------------
Not a crash

Actual result:
--------------
//1st backtrace
(b50.3c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=005979bd ebx=00000002 ecx=00000000 edx=00000058 esi=6e885c49 edi=6e885c48
eip=6688e8fc esp=009ee154 ebp=00000002 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
php5!zend_hash_find+0xec:
6688e8fc 8b5104          mov     edx,dword ptr [ecx+4] ds:002b:00000004=????????
0:000> k
ChildEBP RetAddr  
009ee160 6e834380 php5!zend_hash_find+0xec [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_hash.c @ 922]
009ee1d4 66899971 php_gd2!zif_imageaffinematrixget+0x150 [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\gd.c @ 5213]
009ee23c 66899075 php5!zend_do_fcall_common_helper_SPEC+0x1b1 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 550]
009ee278 668b052b php5!execute_ex+0x295 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 363]
009ee29c 668b0ede php5!zend_execute+0x14b [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 388]
009ee2d0 668b1c7c php5!zend_execute_scripts+0xde [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend.c @ 1320]
009ee550 757ea1e0 php5!php_execute_script+0x14c [c:\php-sdk\php55\vc11\x86\php-5.5.7\main\main.c @ 2489]

//2nd backtrace
(1384.138c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=00000000 edx=00000001 esi=639768c0 edi=00bbc4a0
eip=66b6433b esp=00a6e1f8 ebp=00a6e254 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
*** WARNING: Unable to verify checksum for C:\php\php_gd2.dll
php_gd2!zif_imageaffinematrixget+0x10b:
66b6433b 80790c04        cmp     byte ptr [ecx+0Ch],4       ds:002b:0000000c=??
*** WARNING: Unable to verify checksum for C:\php\php5.dll
*** WARNING: Unable to verify checksum for php.exe
0:000> k
ChildEBP RetAddr  
00a6e254 63999971 php_gd2!zif_imageaffinematrixget+0x10b [c:\php-sdk\php55\vc11\x86\php-5.5.7\ext\gd\gd.c @ 5210]
00a6e2bc 63999075 php5!zend_do_fcall_common_helper_SPEC+0x1b1 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 550]
00a6e2f8 639b052b php5!execute_ex+0x295 [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 363]
00a6e31c 639b0ede php5!zend_execute+0x14b [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend_vm_execute.h @ 388]
00a6e350 639b1c7c php5!zend_execute_scripts+0xde [c:\php-sdk\php55\vc11\x86\php-5.5.7\zend\zend.c @ 1320]
00a6e5d0 757ea1e0 php5!php_execute_script+0x14c [c:\php-sdk\php55\vc11\x86\php-5.5.7\main\main.c @ 2489]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-07 19:00 UTC] spam2 at rhsoft dot net

PHP 5.5.7 is *horrible* broken and causing *random* segfaults
https://bugzilla.redhat.com/show_bug.cgi?id=1049417

after some hours with no segfault after downgrade to 5.5.6 this is *sure*

[2016-06-10 12:35 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339318
Log: The second parameter is not optional as pointed out in #66386.

[2016-06-10 12:38 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2016-06-10 12:38 UTC] cmb@php.net

> According to docs ([…]) second parameter can be optional and
> mixed but only seems to work when an Array is passed.

Indeed, the second parameter is required; its type depends on the
first parameter which has recently been clarified in the XML
sources of the PHP manual. The online and downloadable versions of
the documentation need some time to get updated, though.

Anyhow, this bug has already been fixed as of PHP 5.5.13 and
5.6.0, respectively, to resolve bug #67248. Therefore I'm closing
this ticket as duplicate. Thanks for reporting!

[2016-06-10 12:42 UTC] cmb@php.net

Amendment: the actual issue (the missing RETURN_FALSE) has been
fixed by commit 8e3c201[1]. However, this commit refers to #66869,
which is unrelated.

[1] <https://github.com/php/php-src/commit/8e3c2015dc71271523f502bed7afdbb2aeb0acae>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Mar 23 18:01:29 2025 UTC