#29027 [NEW]: ImageCreateFromPNG() causes segfault

[ajp at aripollak dot com]

From:             ajp at aripollak dot com
Operating system: Red Hat Linux 9
PHP version:      4.3.7
PHP Bug Type:     Reproducible crash
Bug description:  ImageCreateFromPNG() causes segfault

Description:
------------
In PHP 4.3.6 and 4.3.7, with or without zend optimizer, PHP crashes on
ImageCreateFromPNG() if a valid PNG file is specified. Backtrace follows:
#0  0x00000049 in ?? ()
#1  0x40218dcd in png_create_info_struct (png_ptr=0x49) at png.c:224
#2  0x0809f6d5 in gdImageCreateFromPngCtx (infile=0x84b76b4)
    at /home/ari/build/php-4.3.7/ext/gd/libgd/gd_png.c:149
#3  0x0809f5f2 in gdImageCreateFromPng (inFile=0x84bba60)
    at /home/ari/build/php-4.3.7/ext/gd/libgd/gd_png.c:90
#4  0x0808ff5f in _php_image_create_from (ht=139162860,
    return_value=0x84b750c, this_ptr=0x0, return_value_used=1,
image_type=2,
    tn=0x81db9ab "PNG", func_p=0x809f5d8 <gdImageCreateFromPng>,
    ioctx_func_p=0x809f634 <gdImageCreateFromPngCtx>)
    at /home/ari/build/php-4.3.7/ext/gd/gd.c:1466
#5  0x08090128 in zif_imagecreatefrompng (ht=1, return_value=0x84b750c,
    this_ptr=0x0, return_value_used=1)
    at /home/ari/build/php-4.3.7/ext/gd/gd.c:1512
#6  0x405ab542 in zend_assign_to_variable_reference ()
   from /usr/local/Zend/lib/Optimizer-2.1.0/php-4.3.x/ZendOptimizer.so
#7  0x405b4a02 in zend_oe ()
   from /usr/local/Zend/lib/Optimizer-2.1.0/php-4.3.x/ZendOptimizer.so
#8  0x0813d59f in php_execute_script (primary_file=0xbfffdb20)
    at /home/ari/build/php-4.3.7/main/main.c:1731
#9  0x0816e473 in main (argc=2, argv=0xbfffdba4)
    at /home/ari/build/php-4.3.7/sapi/cgi/cgi_main.c:1592
#10 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6

This only happens with libpng 1.2.2 (or 1.2.5), but not with 1.0.13.


-- 
Edit bug report at http://bugs.php.net/?id=29027&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=29027&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=29027&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=29027&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=29027&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=29027&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=29027&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=29027&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=29027&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=29027&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=29027&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=29027&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=29027&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29027&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=29027&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=29027&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=29027&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29027&r=float