php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73840 SIGABRT when chaining getPixelIterator() and getCurrentIteratorRow()
Submitted: 2016-12-29 22:35 UTC Modified: 2017-10-24 05:26 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: mdoelker at me dot com Assigned: danack (profile)
Status: Assigned Package: imagick (PECL)
PHP Version: Irrelevant OS: macOS/Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mdoelker at me dot com
New email:
PHP Version: OS:

 

 [2016-12-29 22:35 UTC] mdoelker at me dot com
Description:
------------
If an ImagickPixelIterator is dereferenced directly without storing a ref to a variable first, the process will crash when calling methods on an ImagickPixel of a row we are iterating over. Any ImagickPixel method will trigger the "wand->signature == WandSignature" assertion, each on a different line in wand/pixel-wand.c.

Tested on PHP 7.0.14 with imagick ext 3.4.2 (ImageMagick 6.9.7-0 Q16 x86_64 2016-12-18). PHP 5.x is affected as well.

Test script:
---------------
$im = new Imagick();
$im->newImage(1, 1, 'black');

// This works fine
$it = $im->getPixelIterator();
$row = $it->getCurrentIteratorRow();
$rgb = $row[0]->getColor();

var_dump($rgb);

// This crashes with SIGABRT
$row = $im->getPixelIterator()->getCurrentIteratorRow();
$rgb = $row[0]->getColor();

var_dump($rgb);

Expected result:
----------------
array(4) {
  ["r"]=>
  int(0)
  ["g"]=>
  int(0)
  ["b"]=>
  int(0)
  ["a"]=>
  int(1)
}
array(4) {
  ["r"]=>
  int(0)
  ["g"]=>
  int(0)
  ["b"]=>
  int(0)
  ["a"]=>
  int(1)
}

Actual result:
--------------
array(4) {
  ["r"]=>
  int(0)
  ["g"]=>
  int(0)
  ["b"]=>
  int(0)
  ["a"]=>
  int(1)
}
Assertion failed: (wand->signature == WandSignature), function PixelGetRed, file wand/pixel-wand.c, line 1338.
Abort trap: 6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-06 11:08 UTC] danack@php.net
-Assigned To: +Assigned To: danack
 [2017-01-07 00:14 UTC] danack@php.net
-Status: Assigned +Status: Verified
 [2017-01-07 00:14 UTC] danack@php.net
It looks like the pixelIterator is being destroyed when it needs to stay active, due to the iteratorRow still having a reference to it.

As you noted, separating the steps out to have the iterator stored as a variable is a workaround as it forces the iterator to stay active.
 [2017-10-24 05:26 UTC] kalle@php.net
-Status: Verified +Status: Assigned
 [2017-10-24 11:09 UTC] danack@php.net
Apparently what is needed is "to add a reference to the iterator object, when a 'child' pixel object is created. And decrement when the pixel object is destroyed."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 09:01:27 2024 UTC