php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79945 using php wrappers in imagecreatefrompng causes segmentation fault
Submitted: 2020-08-08 14:55 UTC Modified: 2020-08-09 11:26 UTC
From: yiyezhiqiu233 at gmail dot com Assigned:
Status: Verified Package: Streams related
PHP Version: 7.4.9 OS: ubuntu 20.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-08-08 14:55 UTC] yiyezhiqiu233 at gmail dot com
Description:
------------
I try to use PHP wrappers in imagecreatefrompng, such as php://filter
but in some cases it can stably cause segmentation fault

Test script:
---------------
<?php
$a = "php://filter/read=convert.base64-encode/resource=/etc/passwd";
imagecreatefrompng($a); 

Expected result:
----------------
PHP Warning:  imagecreatefrompng(): '/etc/passwd' is not a valid PNG file in gd.php on line 3

Actual result:
--------------
[1]    945 segmentation fault  php gd.php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-08 18:52 UTC] requinix@php.net
-Status: Open +Status: Verified -Package: GD related +Package: Streams related
 [2020-08-08 18:52 UTC] requinix@php.net
Stack overflow

(gdb) bt 20
#0  0x0000000008613978 in _php_stream_seek (stream=0x0, offset=0, whence=0) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1303
#1  0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7ef3f8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#2  0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#3  0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#4  0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#5  0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#6  0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7ef8e8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#7  0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#8  0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#9  0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#10 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#11 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7efdd8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#12 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#13 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#14 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#15 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#16 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7fffff7f02c8, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#17 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#18 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#19 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
(More stack frames follow...)

(gdb) bt -20
#33099 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#33100 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#33101 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7ffffffea238, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#33102 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#33103 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#33104 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#33105 0x00000000086139c3 in _php_stream_seek (stream=0x7ffff4c80500, offset=-2072, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/streams.c:1306
#33106 0x0000000008616bd9 in stream_cookie_seeker (cookie=0x7ffff4c80500, position=0x7ffffffea728, whence=1) at /home/ubuntu/php/php-7.4.9-src/main/streams/cast.c:109
#33107 0x00007ffffba1f000 in _IO_cookie_seek (fp=<optimized out>, offset=<optimized out>, dir=<optimized out>) at iofopncook.c:89
#33108 0x00007ffffba2a757 in _IO_new_file_sync (fp=0x975cc30) at fileops.c:821
#33109 0x00007ffffba1e87d in __GI__IO_fflush (fp=0x975cc30) at iofflush.c:40
#33110 0x00000000082e56d2 in _php_image_create_from (execute_data=0x7ffff4c130a0, return_value=0x7ffffffea880, image_type=2, tn=0x8dc40fa "PNG", func_p=0x82f988c <php_gd_gdImageCreateFromPng>, ioctx_func_p=0x82f991f <php_gd_gdImageCreateFromPngCtx>)
    at /home/ubuntu/php/php-7.4.9-src/ext/gd/gd.c:2525
#33111 0x00000000082e5808 in zif_imagecreatefrompng (execute_data=0x7ffff4c130a0, return_value=0x7ffffffea880) at /home/ubuntu/php/php-7.4.9-src/ext/gd/gd.c:2566
#33112 0x0000000008704e3e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/ubuntu/php/php-7.4.9-src/Zend/zend_vm_execute.h:1269
#33113 0x000000000876ad09 in execute_ex (ex=0x7ffff4c13020) at /home/ubuntu/php/php-7.4.9-src/Zend/zend_vm_execute.h:53736
#33114 0x000000000876ee5d in zend_execute (op_array=0x7ffff4c80300, return_value=0x0) at /home/ubuntu/php/php-7.4.9-src/Zend/zend_vm_execute.h:57856
#33115 0x0000000008691565 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/ubuntu/php/php-7.4.9-src/Zend/zend.c:1672
#33116 0x00000000085f27a3 in php_execute_script (primary_file=0x7ffffffed020) at /home/ubuntu/php/php-7.4.9-src/main/main.c:2621
#33117 0x0000000008771a72 in do_cli (argc=2, argv=0x962c870) at /home/ubuntu/php/php-7.4.9-src/sapi/cli/php_cli.c:964
#33118 0x0000000008772c34 in main (argc=2, argv=0x962c870) at /home/ubuntu/php/php-7.4.9-src/sapi/cli/php_cli.c:1359
 [2020-08-09 11:26 UTC] cmb@php.net
This looks indeed to be general issue with fopencookie() support
in our stream layer (opposed to being a particular issue with GD).
The following backtrace excerpt with a debug build clarifies:

stream_cookie_seeker(void * cookie, off64_t * position, int whence) (\mnt\d\git\php\php-src\main\streams\cast.c:109)
libc.so.6!_IO_cookie_seek(_IO_FILE * fp, __off64_t offset, int dir) (\build\glibc-77giwP\glibc-2.24\libio\iofopncook.c:89)
libc.so.6!_IO_new_file_sync(_IO_FILE * fp) (\build\glibc-77giwP\glibc-2.24\libio\fileops.c:890)
libc.so.6!__GI__IO_fflush(_IO_FILE * fp) (\build\glibc-77giwP\glibc-2.24\libio\iofflush.c:40)
_php_stream_seek(php_stream * stream, zend_off_t offset, int whence) (\mnt\d\git\php\php-src\main\streams\streams.c:1306)
stream_cookie_seeker(void * cookie, off64_t * position, int whence) (\mnt\d\git\php\php-src\main\streams\cast.c:109)

This is triggered by ext/gd calling fflush(), which calls back to
stream_cookie_seeker() which calls _php_stream_seek(), which in
turn calls fflush, resulting in infinite recursion.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Sep 18 07:02:04 2020 UTC