#29639 [NEW]: php crashes when getimagesize run on corrupt swf

edman007x at mac dot com Thu, 12 Aug 2004 14:34:13 -0700

From:             edman007x at mac dot com
Operating system: Linux (slackware-current)
PHP version:      4.3.8
PHP Bug Type:     Reproducible crash
Bug description:  php crashes when getimagesize run on corrupt swf


Description:
------------
i have a corrupt swf file (i think thats why) but when i 
getimagesize on it should it just return false, all i 
get is it 

FATAL:  erealloc():  Unable to allocate -70365184 bytes

in my apache error log

Reproduce code:
---------------
<?php
var_dump(getimagesize('http://homepage.mac.com/rodneytool/prank.swf'));
?>

Expected result:
----------------
getimagesize should return false

Actual result:
--------------
php crashes

in the error log is this

FATAL:  erealloc():  Unable to allocate -70365184 bytes

and the backtrace is this

[EMAIL PROTECTED]:/home/edman007/apache# gdb /usr/local/
apache/bin/httpd
GNU gdb 6.2
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public 
License, and you are
welcome to change it and/or distribute copies of it 
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show 
warranty" for details.
This GDB was configured as "i486-slackware-
linux"...Using host libthread_db library "/lib/
libthread_db.so.1".

(gdb) run -X
Starting program: /usr/local/apache/bin/httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x400d71b1 in kill () from /lib/libc.so.6
(gdb) bt
#0  0x400d71b1 in kill () from /lib/libc.so.6
#1  0x40323f60 in _erealloc (ptr=0x408c302c, 
size=4224602112, allow_failure=0, 
__zend_filename=0x40364660 "/root/php/ext/standard/
image.c", 
    __zend_lineno=229, __zend_orig_filename=0x0, 
__zend_orig_lineno=0) at /root/php/Zend/zend_alloc.c:334
#2  0x402a07e5 in php_handle_swc (stream=0x8141a3c) at /
root/php/ext/standard/image.c:229
#3  0x402a2787 in zif_getimagesize (ht=1, 
return_value=0x814895c, this_ptr=0x0, 
return_value_used=1) at /root/php/ext/standard/image.c:
1230
#4  0x40348e86 in execute (op_array=0x813fb34) at /root/
php/Zend/zend_execute.c:1635
#5  0x40337741 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) at /root/php/Zend/zend.c:891
#6  0x40300766 in php_execute_script 
(primary_file=0xbfffdc60) at /root/php/main/main.c:1734
#7  0x4034dff8 in apache_php_module_main (r=0x8138914, 
display_source_mode=0) at /root/php/sapi/apache/
sapi_apache.c:54
#8  0x4034efad in send_php (r=0x8138914, 
display_source_mode=0, filename=0x8139504 "/usr/local/
apache/htdocs/antiwindows/flash.php")
    at /root/php/sapi/apache/mod_php4.c:620
#9  0x4034f026 in send_parsed_php (r=0x8138914) at /
root/php/sapi/apache/mod_php4.c:635
#10 0x0807566f in ap_invoke_handler ()
#11 0x0808a6a9 in process_request_internal ()
#12 0x0808a708 in ap_process_request ()
#13 0x0808172a in child_main ()
#14 0x080818d2 in make_child ()
#15 0x08081a38 in startup_children ()
#16 0x080820f8 in standalone_main ()
#17 0x08082916 in main ()
(gdb) frame 4
#4  0x40348e86 in execute (op_array=0x813fb34) at /root/
php/Zend/zend_execute.c:1635
1635                                                            
((zend_internal_function *) 
EX(function_state).function)->handler(EX(opline)-
>extended_value, EX(Ts)[EX(opline)-
>result.u.var].var.ptr, EX(object).ptr, 
return_value_used TSRMLS_CC);
(gdb) print (char 
*)(executor_globals.function_state_ptr->function)-
>common.function_name
$1 = 0x4035f44a "getimagesize"
(gdb) 

-- 
Edit bug report at http://bugs.php.net/?id=29639&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=29639&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=29639&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=29639&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=29639&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=29639&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=29639&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=29639&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=29639&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=29639&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=29639&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=29639&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=29639&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29639&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=29639&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=29639&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=29639&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29639&r=float

#29639 [NEW]: php crashes when getimagesize run on corrupt swf

Reply via email to