ID: 27674 Comment by: spam at vano dot org Reported By: xuefer at 21cn dot com Status: Bogus Bug Type: GetImageSize related Operating System: * PHP Version: 4.3.5 New Comment:
I have the same problem on RH9 + Apache 2.0.49 + PHP5.0.0 on some (all) .swf files getimagesize() function crashes the Apache2. in the error log it sais: FATAL: erealloc(): Unable to allocate -2067465216 bytes PHP compilled with: ./configure --prefix=/php5 --with-config-file-path=/php5 --with-apxs2=/apache2/bin/apxs --with-mod_charset --enable-embed --with-zlib --enable-dbx --enable-dio --enable-exif --enable-ftp --with-iconv --with-gdbm --with-gmp --with-ncurses --with-mcrypt --with-crypt --with-gd=/usr/local --with-freetype-dir=/usr/lib --with-gif-dir=/usr/local --enable-gd-native-ttf --with-ttf --with-gettext --with-zip=/usr/lib --enable-calendar --enable-mbstring --with-kerberos --with-mysql --with-mysql-sock=/var/lib/mysql/mysql.sock --enable-sockets --with-pear --enable-shared=all Previous Comments: ------------------------------------------------------------------------ [2004-04-09 12:37:34] [EMAIL PROTECTED] The flash file you provided is corrupted, here's same file, uncorrupted which works fine: http://www.miniclip.com/gamefiles0304/bushshootout_game.swf ------------------------------------------------------------------------ [2004-04-09 04:00:39] xuefer at 21cn dot com reoped and updated changed cos 125-bad.swf is really "fine playing in flashplayer" swf ------------------------------------------------------------------------ [2004-03-27 06:16:22] xuefer at 21cn dot com yes, just a guess because no matter how much memory it alloc, uncompress() just return Z_BUF_ERROR i don't know why this swf is bad, it plays ok in stand alone flashplayer and ie browser by the way, when i test it with a "good" swf, the part of erealloc() don't even executed. In another word, the first uncompress: if (uncompress(b, &len, a, sizeof(a)) != Z_OK) { is Z_OK ------------------------------------------------------------------------ [2004-03-27 05:58:53] [EMAIL PROTECTED] Where does the 50MByte const come from, a guess? ------------------------------------------------------------------------ [2004-03-26 22:09:42] xuefer at 21cn dot com this bug may be "can't reproduce" not "closed" this is the "fix" with testing code Index: ext/standard/image.c =================================================================== RCS file: /repository/php-src/ext/standard/image.c,v retrieving revision 1.72.2.13 diff -u -r1.72.2.13 image.c --- ext/standard/image.c 12 Nov 2003 22:56:09 -0000 1.72.2.13 +++ ext/standard/image.c 27 Mar 2004 03:11:00 -0000 @@ -196,8 +196,8 @@ long bits; unsigned char a[64]; - unsigned long len=64, szlength; - int factor=1,maxfactor=16; + unsigned long len=64, szlength, maxlength = 50*1024*1024; + int factor=1,maxfactor=8; int slength, status=0; char *b, *buf=NULL, *bufz=NULL; @@ -226,8 +226,13 @@ do { szlength=slength*(1<<factor++); + if (szlength > maxlength) { + break; + } + printf("szlength: %d\n", szlength); buf = (char *) erealloc(buf,szlength); status = uncompress(buf, &szlength, bufz, slength); + printf("status: %d\n", (int) (status == Z_BUF_ERROR)); } while ((status==Z_BUF_ERROR)&&(factor<maxfactor)); if (bufz) { $ make && ./sapi/cli/php -r "var_dump(getimagesize('125-bad.swf'));" Build complete. (It is safe to ignore warnings about tempnam and tmpnam). szlength: 2229880 status: 1 szlength: 4459760 status: 1 szlength: 8919520 status: 1 szlength: 17839040 status: 1 szlength: 35678080 status: 1 bool(false) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/27674 -- Edit this bug report at http://bugs.php.net/?id=27674&edit=1
