php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73840 SIGABRT when chaining getPixelIterator() and getCurrentIteratorRow()
Submitted: 2016-12-29 22:35 UTC Modified: 2017-10-24 05:26 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: mdoelker at me dot com Assigned: danack (profile)
Status: Assigned Package: imagick (PECL)
PHP Version: Irrelevant OS: macOS/Linux
Private report: No CVE-ID: None
 [2016-12-29 22:35 UTC] mdoelker at me dot com
Description:
------------
If an ImagickPixelIterator is dereferenced directly without storing a ref to a variable first, the process will crash when calling methods on an ImagickPixel of a row we are iterating over. Any ImagickPixel method will trigger the "wand->signature == WandSignature" assertion, each on a different line in wand/pixel-wand.c.

Tested on PHP 7.0.14 with imagick ext 3.4.2 (ImageMagick 6.9.7-0 Q16 x86_64 2016-12-18). PHP 5.x is affected as well.

Test script:
---------------
$im = new Imagick();
$im->newImage(1, 1, 'black');

// This works fine
$it = $im->getPixelIterator();
$row = $it->getCurrentIteratorRow();
$rgb = $row[0]->getColor();

var_dump($rgb);

// This crashes with SIGABRT
$row = $im->getPixelIterator()->getCurrentIteratorRow();
$rgb = $row[0]->getColor();

var_dump($rgb);

Expected result:
----------------
array(4) {
  ["r"]=>
  int(0)
  ["g"]=>
  int(0)
  ["b"]=>
  int(0)
  ["a"]=>
  int(1)
}
array(4) {
  ["r"]=>
  int(0)
  ["g"]=>
  int(0)
  ["b"]=>
  int(0)
  ["a"]=>
  int(1)
}

Actual result:
--------------
array(4) {
  ["r"]=>
  int(0)
  ["g"]=>
  int(0)
  ["b"]=>
  int(0)
  ["a"]=>
  int(1)
}
Assertion failed: (wand->signature == WandSignature), function PixelGetRed, file wand/pixel-wand.c, line 1338.
Abort trap: 6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-06 11:08 UTC] danack@php.net
-Assigned To: +Assigned To: danack
 [2017-01-07 00:14 UTC] danack@php.net
-Status: Assigned +Status: Verified
 [2017-01-07 00:14 UTC] danack@php.net
It looks like the pixelIterator is being destroyed when it needs to stay active, due to the iteratorRow still having a reference to it.

As you noted, separating the steps out to have the iterator stored as a variable is a workaround as it forces the iterator to stay active.
 [2017-10-24 05:26 UTC] kalle@php.net
-Status: Verified +Status: Assigned
 [2017-10-24 11:09 UTC] danack@php.net
Apparently what is needed is "to add a reference to the iterator object, when a 'child' pixel object is created. And decrement when the pixel object is destroyed."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 17:01:27 2024 UTC