From: salesteam at luckylovers dot net Operating system: Linux Red Hat 7.3 PHP version: 4.3.4 PHP Bug Type: GD related Bug description: Segmentation fault (overflow) in /gd/libgd/gd.c (ImageFill)
Description: ------------ php_info(): http://207.44.184.74/test/info.php GD has been installed with Apache (not with php) APACHE LOGS: [Fri Dec 26 12:19:20 2003] [notice] child pid 31265 exit signal Segmentation fault (11) (on every script execution, memory has been tested OK) BACKTRACE: --------------------------------------- /install/php-4.3.3/ext/gd/libgd/gd.c(1913) : Block 0x08191CC8 status: Beginning: OK (allocated on /install/php-4.3.3/ext/gd/libgd/gd.c:1876, 17 bytes) End: Overflown (magic=0x00000000 instead of 0x2A8FCC84) At least 4 bytes overflown --------------------------------------- /install/php-4.3.3/ext/gd/libgd/gd.c(1876) : Freeing 0x08191CEC (17 bytes), script=/usr/local/apache/htdocs/vh/www.luckylover s.net/htdocs/p/pic.php [Fri Dec 26 15:46:40 2003] Script: '/usr/local/apache/htdocs/vh/www.luckylovers.net/htdocs/p/pic.php' --------------------------------------- GD PROGRAMM: (line 1876 is 'stack = (struct seg *)emalloc(sizeof(struct seg) * ((int)(im->sy*im->sx)/4)+1); ') void gdImageFill(gdImagePtr im, int x, int y, int nc) { int l, x1, x2, dy; int oc; /* old pixel value */ int wx2,wy2; /* stack of filled segments */ //struct seg stack[FILL_MAX],*sp = stack;; struct seg *stack; struct seg *sp; if (nc==gdTiled){ _gdImageFillTiled(im,x,y,nc); return; } wx2=im->sx;wy2=im->sy; oc = gdImageGetPixel(im, x, y); if (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) return; stack = (struct seg *)emalloc(sizeof(struct seg) * ((int)(im->sy*im->sx)/4)+1); sp = stack; /* required! */ FILL_PUSH(y,x,x,1); /* seed segment (popped 1st) */ FILL_PUSH(y+1, x, x, -1); Reproduce code: --------------- $height=2; $width=2; $im=ImageCreate($width,$height); $crem=ImageColorAllocate ($im, 229,228,202); ImageFill($im, 0,0,$crem); ImageJpeg($im); ImageDestroy($im); THANK YOU FOR YOUR HELP ! -- Edit bug report at http://bugs.php.net/?id=26722&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26722&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26722&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=26722&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=26722&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=26722&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=26722&r=needscript Try newer version: http://bugs.php.net/fix.php?id=26722&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=26722&r=support Expected behavior: http://bugs.php.net/fix.php?id=26722&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=26722&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=26722&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=26722&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26722&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=26722&r=dst IIS Stability: http://bugs.php.net/fix.php?id=26722&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=26722&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=26722&r=float
