|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-07-28 18:52 UTC] rainer dot jung at kippdata dot de
[2019-07-29 09:26 UTC] nikic@php.net
[2019-07-29 09:26 UTC] nikic@php.net
-Status: Open
+Status: Closed
[2019-07-29 09:28 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 17:01:29 2024 UTC |
Description: ------------ PHP Version: 7.4.0beta1 (not available in version dropdown) Crash during execution of the test ext/exif/tests/bug77831.php. Crash happens as Bus Error due to dereferencing a 2 byte aligned address for a float. Sparc is sensitive to wrong alignments. Stack: (gdb) bt full #0 0xfdb659ec in exif_iif_add_value (image_info=0xffbfc728, section_index=3, name=<optimized out>, tag=<optimized out>, format=11, length=1, value=<optimized out>, value_len=<optimized out>, motorola_intel=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2165 idex = 0 vptr = 0xfe6561da vptr_end = 0xfe6561de info_value = 0xfe656208 info_data = 0xfe6561f8 list = <optimized out> #1 0xfdb66b3c in exif_iif_add_tag (value_len=4, value=0xfe6561da, length=4, format=<optimized out>, tag=8224, name=<optimized out>, section_index=3, image_info=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2186 No locals. #2 exif_process_IFD_TAG (ImageInfo=0xffbfc728, dir_entry=<optimized out>, offset_base=<optimized out>, IFDlength=<optimized out>, displacement=<optimized out>, section_index=3, ReadNextIFD=<optimized out>, tag_table=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3486 length = 38 tag = 8224 format = <optimized out> components = 4 value_ptr = 0xfe6561da " " tagname = "UndefinedTag:0x2020", '\000' <repeats 17 times>, "▒\004\024\070▒\210\220▒g\200\061\000\000\000\000\000\000\000 \000\000\000\004\000\000\000\003" cbuf = "*\000\000\000\f \000\002 \000\000\000 \000\000\000\003 \000\v\000\000\000\001 " outside = 0x0 byte_count = 4 offset_val = <optimized out> fpos = <optimized out> fgot = <optimized out> tmp_xp = <optimized out> #3 0xfdb663a0 in exif_process_IFD_in_JPEG (ImageInfo=0xffbfc728, dir_start=0xfe6561c4 "", offset_base=0xfe6561b8 "MM", IFDlength=38, displacement=11, section_index=3, tag=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:2885 de = 1 NumDirEntries = 2 NextDirOffset = 0 #4 0xfdb68958 in exif_process_TIFF_in_JPEG (displacement=<optimized out>, length=38, CharBuf=0xfe6561b8 "MM", ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3608 exif_value_2a = 42 offset_of_ifd = <optimized out> #5 exif_process_APP1 (displacement=<optimized out>, length=46, CharBuf=0xfe6561b0 "", ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3633 ExifHeader = "Exif\000" #6 exif_scan_JPEG_header (ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:3778 comment_correction = 1 ll = <optimized out> size = <optimized out> Data = 0xfe6561b0 "" fpos = <optimized out> got = <optimized out> itemlen = 46 sn = <optimized out> marker = 225 last_marker = <optimized out> lh = <optimized out> #7 exif_scan_FILE_header (ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4173 file_header = "▒ؾ\"\017▒-\230" ret = 0 #8 exif_read_from_impl (read_all=0, read_thumbnail=<optimized out>, stream=0xfe668200, ImageInfo=0xffbfc728) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4314 st = {st_dev = 22282550, st_pad1 = {0, 0, 0}, st_ino = 37266735, st_mode = 33188, st_nlink = 1, st_uid = 1200, st_gid = 1200, st_rdev = 0, st_pad2 = {0, 0}, st_size = 49, st_pad3 = 0, st_atim = {tv_sec = 1563992732, tv_nsec = 821345000}, st_mtim = {tv_sec = 1563869118, tv_nsec = 0}, st_ctim = {tv_sec = 1563992732, tv_nsec = 821810000}, st_blksize = 8192, st_blocks = 2, st_fstype = "lofs", '\000' <repeats 11 times>, st_pad4 = {0, 0, 0, 0, 0, 0, 0, 0}} #9 exif_read_from_stream (ImageInfo=0xffbfc728, stream=0xfe668200, read_thumbnail=<optimized out>, read_all=0) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4331 ret = <optimized out> old_pos = 0 #10 0xfdb68e10 in exif_read_from_file (ImageInfo=0xffbfc728, FileName=0xfe65b5c0 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.tiff", read_thumbnail=0, read_all=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4358 ret = <optimized out> stream = 0xfe668200 #11 0xfdb692f4 in zif_exif_read_data (execute_data=0xfe6140a0, return_value=0xfe614040) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/exif.c:4433 z_sections_needed = 0x0 sub_arrays = 0 '\000' read_thumbnail = 0 '\000' stream = 0xfe6140d0 i = <optimized out> ret = <optimized out> sections_needed = 0 ImageInfo = {infile = 0xfe668200, FileName = 0xfe677040 "bug77831.tiff", FileDateTime = 1563869118, FileSize = 49, FileType = IMAGE_FILETYPE_JPEG, Height = 0, Width = 0, IsColor = 0, make = 0x0, model = 0x0, ApertureFNumber = 0, ExposureTime = 0, FocalplaneUnits = 0, CCDWidth = 0, FocalplaneXRes = 0, ExifImageWidth = 0, FocalLength = 0, Distance = 0, motorola_intel = 1, UserComment = 0x0, UserCommentLength = 0, UserCommentEncoding = 0x0, encode_unicode = 0xfe677050 "ISO-8859-15", decode_unicode_be = 0xfe602010 "UCS-2BE", decode_unicode_le = 0xfe602018 "UCS-2LE", encode_jis = 0xfe602020 "", decode_jis_be = 0xfe602028 "JIS", decode_jis_le = 0xfe602030 "JIS", Copyright = 0x0, CopyrightPhotographer = 0x0, CopyrightEditor = 0x0, xp_fields = {count = 0, list = 0x0}, Thumbnail = { filetype = IMAGE_FILETYPE_UNKNOWN, width = 0, height = 0, size = 0, offset = 0, data = 0x0}, sections_found = 12, info_list = {{count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 1, list = 0xfe6561e0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}, {count = 0, list = 0x0}}, read_thumbnail = 0, read_all = 0, ifd_nesting_level = 2, file = {count = 1, list = 0xfe677060}} tmp = "\000\000\000\005\000\000\000\000\000\000\002\002▒?B▒\000\001\000\000\000\000\000\000\000\000\000\000▒\v\022|\000\000\000\002▒▒▒H\000\000\000\000▒gP▒▒\v=\f▒▒▒l▒▒ǰ▒▒\206$" sections_str = 0x0 s = <optimized out> #12 0xfeeb28e8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (execute_data=0xfe614010) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:1319 opline = 0xfe65c214 call = 0xfe6140a0 fbc = <optimized out> ret = <optimized out> #13 0xfeeb0c58 in execute_ex (ex=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:53103 ret = <optimized out> execute_data = 0xfe614010 #14 0xfef0aa28 in zend_execute (op_array=0xfe6750a0, return_value=0x0) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend_vm_execute.h:57388 execute_data = 0xfe614010 object_or_called_scope = <optimized out> call_info = <optimized out> #15 0xfee6953c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/Zend/zend.c:1663 files = 0xffbfca40 i = 1 file_handle = 0xffbfd094 op_array = 0xfe6750a0 #16 0xfedfdeb0 in php_execute_script (primary_file=0xffbfd094) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/main/main.c:2633 realfile = "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php\000\214\000\000\000\005▒▒▒\000\000\000]▒\004\023▒▒e`\000\000\000\000$- ▒▒\234▒\000\000\000\000\000\000\000\001\000\000\000\001▒9\017\220▒▒WR▒?\f▒▒?s▒\n▒*\t\000\000\005(\000\000\000\000\000\000\000\000▒?\f▒▒?s▒", '\000' <repeats 32 times>... __orig_bailout = <optimized out> __bailout = {2, -4208152, -18883256, -4206776, 83200, 0, 0, 0, 0, 0, 0, 0, 232296, -16390196, 152, 600, -12582912, 8388608, 0} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, type = ZEND_HANDLE_FILENAME, buf = 0x0, len = 0} append_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, type = ZEND_HANDLE_FILENAME, buf = 0x0, len = 0} old_cwd_fd = -1 retval = 0 #17 0x00014508 in do_cli (argc=<optimized out>, argv=<optimized out>) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/sapi/cli/php_cli.c:963 __orig_bailout = <optimized out> __bailout = {2, -4206776, 78836, -4205208, 123884, 0, 101795963, 1949, -13034128, 1026, 9, -13037680, -24543363, -13037680, -12618832, 171156496, -12582912, 8388608, 0} c = <optimized out> file_handle = {handle = {fp = 0xfe9b554c <_iob+48>, stream = {handle = 0xfe9b554c <_iob+48>, isatty = 0, reader = 0xfee86840 <zend_stream_stdio_reader>, fsizer = 0xfee86910 <zend_stream_stdio_fsizer>, closer = 0xfee867f4 <zend_stream_stdio_closer>}}, filename = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php", opened_path = 0x0, type = ZEND_HANDLE_STREAM, buf = 0xfe65b460 "▒e▒@p\nvar_dump(exif_read_data(__DIR__.\"/bug77831.tiff\"));\n?>\nDONE\n", len = 66} behavior = <optimized out> reflection_what = <optimized out> request_started = 1 exit_status = 0 php_optarg = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php" php_optind = 152 exec_direct = <optimized out> exec_run = <optimized out> exec_begin = <optimized out> exec_end = <optimized out> arg_free = <optimized out> arg_excp = <optimized out> script_file = <optimized out> translated_path = 0x2084a0 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php" interactive = <optimized out> param_error = <optimized out> hide_argv = <optimized out> #18 0x0001e3f4 in main (argc=<optimized out>, argv=0x3ecf8) at /shared/build/autobuild/workdirs/20190724_202505/bld/php74/sapi/cli/php_cli.c:1353 __orig_bailout = 0x0 __bailout = {2, -4205208, 123328, -4204984, 76588, 0, 0, 0, 0, 0, 0, 3, -4204884, 4, -4204272, 5, -12582912, 8388608, 0} c = <optimized out> exit_status = 0 module_started = 1 sapi_started = 1 php_optarg = 0x3fd18 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/ext/exif/tests/bug77831.php" php_optind = 152 use_extended_info = 0 ini_path_override = 0x3fd78 "/shared/build/autobuild/workdirs/20190724_202505/bld/php74/tmp-php.ini" ini_entries = 0x40578 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\noutput_handler=\nopen_basedir=\ndisable_functions=\noutput_buffering=Off\nerror_reporting=3276"... ini_entries_len = 1582 ini_ignore = 1 The relevant code line is 2165 info_value->f = *(float *)value; and value points at address 0xfe6561da. This adress is only 2-byte aligned and can not be dereferenced as a float. Regards, Rainer