php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66625 imagescale() segmentation fault on 64bits environment
Submitted: 2014-02-02 03:50 UTC Modified: 2017-01-18 18:58 UTC
Votes:8
Avg. Score:4.6 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:3 (37.5%)
Same OS:4 (50.0%)
From: yoya at awm dot jp Assigned: cmb (profile)
Status: Duplicate Package: GD related
PHP Version: 5.5.8 OS: Any
Private report: No CVE-ID: None
 [2014-02-02 03:50 UTC] yoya at awm dot jp
Description:
------------
* ext/gd.c
----
PHP_FUNCTION(imagescale)
{
        zval *IM;
        gdImagePtr im;
        gdImagePtr im_scaled;
        int new_width, new_height = -1;
        gdInterpolationMethod method = GD_BILINEAR_FIXED;

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|ll", &IM, &new_width, &new_height, &method) == FAILURE)  {
----

On 64 bits environment ,'l'(long) have 64 bits width, int and gdInterpolationMethod type have 32 bits, so IM pointer be destroyed by value of other variables.

This problem related to id:65171, I guess.
- https://bugs.php.net/bug.php?id=65171


Test script:
---------------
<?php

$data = file_get_contents($argv[1]);
$im = ImageCreateFromString($data);
$im2 = imagescale($im, 256, 192, IMG_NEAREST_NEIGHBOUR);
imagepng($im2, 'output.png');

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-24 22:47 UTC] mwanat at forall dot pl
Confirmed on 64Bit CentOS & PHP 5.5.10
 [2016-06-07 04:03 UTC] pajoye@php.net
They are different issues. #72337 is about new width or height being zero.

This one is wrong type used for the new_width and height, as described precisely here.

Patches coming, running further tests.
 [2017-01-18 18:58 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2017-01-18 18:58 UTC] cmb@php.net
This has already been fixed as resolution of bug #66890, so I'm
marking this ticket as duplicate.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed May 27 12:01:27 2020 UTC