PHP :: Bug #72337 :: segfault in gdImageScaleBicubicFixed at gd

Bug #72337

segfault in gdImageScaleBicubicFixed at gd_interpolation.c:1605

Submitted:

2016-06-05 21:12 UTC

Modified:

2016-07-12 17:55 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

brian dot carpenter at gmail dot com

Assigned:

ab (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

7.0Git-2016-06-05 (Git)

OS:

Debian 8.2 x64

Private report:

CVE-ID:

None

View Developer Edit

[2016-06-05 21:12 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.1.0-dev (cli) (built: Jun  1 2016 04:52:26) with American Fuzzy Lop, this test case was found to cause a segfault.

Test script:
---------------
<?php
$img=imagecreatetruecolor(1,!0);imagescale($img,0,0,w^B);

Expected result:
----------------
No crash. 



Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
gdImageScaleBicubicFixed (src=0x7ffff5e77000, width=<optimized out>, height=<optimized out>)
    at /home/geeknik/php-src/ext/gd/libgd/gd_interpolation.c:1605
1605                                            c = src->tpixels[*(src_offset_y + _k)][*(src_offset_x + _k)];

(gdb) bt
#0  gdImageScaleBicubicFixed (src=0x7ffff5e77000, width=<optimized out>, height=<optimized out>)
    at /home/geeknik/php-src/ext/gd/libgd/gd_interpolation.c:1605
#1  0x0000000000e675c5 in gdImageScale (src=src@entry=0x7ffff5e77000, new_width=new_width@entry=0,
    new_height=new_height@entry=0) at /home/geeknik/php-src/ext/gd/libgd/gd_interpolation.c:1651
#2  0x0000000000d74b26 in zif_imagescale (execute_data=<optimized out>, return_value=0x7fffffffacd0)
    at /home/geeknik/php-src/ext/gd/gd.c:4674
#3  0x00000000018d9c96 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff5e13030)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:616
#4  0x000000000187ba98 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:429
#5  0x0000000001a7b73c in zend_execute (op_array=op_array@entry=0x7ffff5e7f000,
    return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:471
#6  0x0000000001684641 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0,
    file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1427
#7  0x0000000001428538 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270)
    at /home/geeknik/php-src/main/main.c:2492
#8  0x0000000001a85d65 in do_cli (argc=2, argv=0x22359f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:982
#9  0x00000000004561b5 in main (argc=2, argv=0x22359f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1352

(gdb) l
1600                                            if (f_fm1 > 0) f_d = gd_mulfx(f_fm1,gd_mulfx(f_fm1,f_fm1));
1601
1602                                            f_RX = gd_divfx((f_a-gd_mulfx(f_4,f_b)+gd_mulfx(f_6,f_c)-gd_mulfx(f_4,f_d)),f_6);
1603                                            f_R = gd_mulfx(f_RY,f_RX);
1604
1605                                            c = src->tpixels[*(src_offset_y + _k)][*(src_offset_x + _k)];
1606                                            f_rs = gd_itofx(gdTrueColorGetRed(c));
1607                                            f_gs = gd_itofx(gdTrueColorGetGreen(c));
1608                                            f_bs = gd_itofx(gdTrueColorGetBlue(c));
1609                                            f_ba = gd_itofx(gdTrueColorGetAlpha(c));


==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C46E: zend_register_default_exception (zend_exceptions.c:835)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C46E: zend_register_default_exception (zend_exceptions.c:835)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C8ED: zend_register_default_exception (zend_exceptions.c:853)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176C8ED: zend_register_default_exception (zend_exceptions.c:853)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CAAF: zend_register_default_exception (zend_exceptions.c:857)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CAAF: zend_register_default_exception (zend_exceptions.c:857)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CC7E: zend_register_default_exception (zend_exceptions.c:861)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CC7E: zend_register_default_exception (zend_exceptions.c:861)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CE4A: zend_register_default_exception (zend_exceptions.c:865)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x176CE4A: zend_register_default_exception (zend_exceptions.c:865)
==18480==    by 0x18281C5: zend_register_default_classes (zend_default_classes.c:34)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711BCE: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x17C3E3A: zend_register_generator_ce (zend_generators.c:1255)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Conditional jump or move depends on uninitialised value(s)
==18480==    at 0x1711F6D: zend_hash_find (zend_hash.c:494)
==18480==    by 0x183905C: zend_do_inheritance (zend_inheritance.c:645)
==18480==    by 0x16AB72A: zend_register_internal_class_ex (zend_API.c:2671)
==18480==    by 0x17C3E3A: zend_register_generator_ce (zend_generators.c:1255)
==18480==    by 0x173C3D9: zm_startup_core (zend_builtin_functions.c:391)
==18480==    by 0x169C8C7: zend_startup_module_ex (zend_API.c:1838)
==18480==    by 0x16FA6A5: zend_hash_apply (zend_hash.c:1533)
==18480==    by 0x16A1355: zend_startup_modules (zend_API.c:1964)
==18480==    by 0x1425D69: php_module_startup (main.c:2215)
==18480==    by 0x1A81554: php_cli_startup (php_cli.c:423)
==18480==    by 0x455607: main (php_cli.c:1332)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0x4003208: dl_main (rtld.c:1666)
==18480==
==18480== Use of uninitialised value of size 8
==18480==    at 0xE6685D: gdImageScaleBicubicFixed (gd_interpolation.c:1605)
==18480==    by 0xD74B25: zif_imagescale (gd.c:4674)
==18480==    by 0x18D9C95: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:616)
==18480==    by 0x187BA97: execute_ex (zend_vm_execute.h:429)
==18480==    by 0x1A7B73B: zend_execute (zend_vm_execute.h:471)
==18480==    by 0x1684640: zend_execute_scripts (zend.c:1427)
==18480==    by 0x1428537: php_execute_script (main.c:2492)
==18480==    by 0x1A85D64: do_cli (php_cli.c:982)
==18480==    by 0x4561B4: main (php_cli.c:1352)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0xE671D0: gdImageScale (gd_interpolation.c:1633)
==18480==
==18480== Use of uninitialised value of size 8
==18480==    at 0xE66896: gdImageScaleBicubicFixed (gd_interpolation.c:1605)
==18480==    by 0xD74B25: zif_imagescale (gd.c:4674)
==18480==    by 0x18D9C95: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:616)
==18480==    by 0x187BA97: execute_ex (zend_vm_execute.h:429)
==18480==    by 0x1A7B73B: zend_execute (zend_vm_execute.h:471)
==18480==    by 0x1684640: zend_execute_scripts (zend.c:1427)
==18480==    by 0x1428537: php_execute_script (main.c:2492)
==18480==    by 0x1A85D64: do_cli (php_cli.c:982)
==18480==    by 0x4561B4: main (php_cli.c:1352)
==18480==  Uninitialised value was created by a stack allocation
==18480==    at 0xE65C70: gdImageScaleBicubicFixed (gd_interpolation.c:1397)
==18480==
==18480== Invalid read of size 4
==18480==    at 0xE66896: gdImageScaleBicubicFixed (gd_interpolation.c:1605)
==18480==    by 0xD74B25: zif_imagescale (gd.c:4674)
==18480==    by 0x18D9C95: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:616)
==18480==    by 0x187BA97: execute_ex (zend_vm_execute.h:429)
==18480==    by 0x1A7B73B: zend_execute (zend_vm_execute.h:471)
==18480==    by 0x1684640: zend_execute_scripts (zend.c:1427)
==18480==    by 0x1428537: php_execute_script (main.c:2492)
==18480==    by 0x1A85D64: do_cli (php_cli.c:982)
==18480==    by 0x4561B4: main (php_cli.c:1352)
==18480==  Address 0x40707201c is not stack'd, malloc'd or (recently) free'd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-06 18:43 UTC] cmb@php.net

-Status: Open +Status: Verified

[2016-06-06 18:43 UTC] cmb@php.net

I can confirm the issue (seems to affect older versions also).
The given test script is identical to:

    <?php
    $im = imagecreatetruecolor(1, 1);
    imagescale($im, 0, 0, IMG_BICUBIC_FIXED);

The issue might be related to bug #66625.

[2016-06-07 04:06 UTC] pajoye@php.net

They are different issues. This one is about new width or height being zero which may go through.

#66625 is about wrong type used for the new_width and height, as described precisely there.

Patches coming, running further tests.

[2016-06-07 10:44 UTC] pajoye@php.net

-Status: Verified +Status: Assigned -Assigned To: +Assigned To: ab

[2016-06-07 10:44 UTC] pajoye@php.net

Fixed in 5.6+

Must be merge to 5.5 but as it is security mode, I leave the choice to the RMs to merge it or not before the last release.

[2016-07-12 17:55 UTC] ab@php.net

-Status: Assigned +Status: Closed

[2016-07-12 17:55 UTC] ab@php.net

As discussed with Julien, this is not a security related issue, so won't be merged into 5.5.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC