ID: 34225 User updated by: david at acz dot org Reported By: david at acz dot org -Status: Feedback +Status: Open Bug Type: GD related Operating System: SuSE Linux PHP Version: 4.4.0 Assigned To: pajoye New Comment:
This is a thread-safety issue: Apache was incorrectly compiled with the "worker" MPM instead of "prefork". Previous Comments: ------------------------------------------------------------------------ [2005-08-23 23:21:40] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.0-win32-latest.zip Please try using php 4.4.0 snapshot as well as 5.x A reproducable crash should come with a reproducable script... ------------------------------------------------------------------------ [2005-08-23 22:55:22] david at acz dot org Description: ------------ PHP sometimes crashes when calling the PHP function imagettftext(). It crashes because gdCacheGet() is passed and dereferences a NULL pointer. './configure' '--with-apxs2=/vm/apache2/bin/apxs' '--disable-debug' '--with-zlib' '--with-bzip2' '--enable-ftp' '--with-curl' '--enable-bcmath' '--enable-sockets' '--enable-pcntl' '--with-xml' '--with-openssl' '--with-cdb' '--with-mcrypt' '--without-mysql' '--with-oci8' '--enable-sigchild' '--enable-exif' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png' '--with-freetype-dir=/usr/local' '--with-readline' gd GD Support enabled GD Version bundled (2.0.28 compatible) FreeType Support enabled FreeType Linkage with freetype GIF Read Support enabled GIF Create Support enabled JPG Support enabled PNG Support enabled WBMP Support enabled XBM Support enabled Reproduce code: --------------- I cannot reproduce the crash consistently enough to provide a simple example. Expected result: ---------------- N/A Actual result: -------------- (gdb) bt #0 0x40498bbc in gdCacheGet (head=0x0, keydata=0x41feb344) at /tmp/php-4.4.0/ext/gd/libgd/gdcache.c:101 #1 0x40497f7f in gdImageStringFTEx (im=0x85717b4, brect=0x41fec47c, fg=3355443, fontlist=0x0, ptsize=8, angle=0, x=14, y=61, string=0x8506a5c "everything with ABC Advertiser.", strex=0x0) at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:868 #2 0x40497e29 in gdImageStringFT (im=0x85717b4, brect=0x41fec47c, fg=3355443, fontlist=0x852811c "lpfont/Arial-Roman.ttf", ptsize=8, angle=0, x=14, y=61, string=0x8506a5c "everything with ABC Advertiser.") at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:808 #3 0x4048a9ef in php_imagettftext_common (ht=1078556464, return_value=0x848569c, this_ptr=0x0, return_value_used=0, tsrm_ls=0x82a2d90, mode=0, extended=0) at /tmp/php-4.4.0/ext/gd/gd.c:3104 #4 0x4048a693 in zif_imagettftext (ht=8, return_value=0x848569c, this_ptr=0x0, return_value_used=0, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/ext/gd/gd.c:3010 #5 0x40572269 in execute (op_array=0x850d228, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/Zend/zend_execute.c:1672 #6 0x40571f9f in execute (op_array=0x843b408, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/Zend/zend_execute.c:1716 #7 0x40571f9f in execute (op_array=0x843a8d4, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/Zend/zend_execute.c:1716 #8 0x4056345a in zend_execute_scripts (type=8, tsrm_ls=0x82a2d90, retval=0x0, file_count=3) at /tmp/php-4.4.0/Zend/zend.c:938 #9 0x40538753 in php_execute_script (primary_file=0x41ff486c, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/main/main.c:1751 #10 0x40576f88 in php_handler (r=0x82cb3e8) at /tmp/php-4.4.0/sapi/apache2handler/sapi_apache2.c:555 #11 0x0809a6b6 in ap_run_handler (r=0x82cb3e8) at config.c:153 #12 0x0809ac88 in ap_invoke_handler (r=0x82cb3e8) at config.c:364 #13 0x0808659f in ap_process_request (r=0x82cb3e8) at http_request.c:249 #14 0x080820d9 in ap_process_http_connection (c=0x82c3ad0) at http_core.c:251 #15 0x080a4d06 in ap_run_process_connection (c=0x82c3ad0) at connection.c:43 (gdb) frame 0 #0 0x40498bbc in gdCacheGet (head=0x0, keydata=0x41feb344) at /tmp/php-4.4.0/ext/gd/libgd/gdcache.c:101 101 elem = head->mru; (gdb) frame 1 #1 0x40497f7f in gdImageStringFTEx (im=0x85717b4, brect=0x41fec47c, fg=3355443, fontlist=0x0, ptsize=8, angle=0, x=14, y=61, string=0x8506a5c "everything with ABC Advertiser.", strex=0x0) at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:868 868 font = (font_t *) gdCacheGet (fontCache, &fontkey); (gdb) frame 2 #2 0x40497e29 in gdImageStringFT (im=0x85717b4, brect=0x41fec47c, fg=3355443, fontlist=0x852811c "lpfont/Arial-Roman.ttf", ptsize=8, angle=0, x=14, y=61, string=0x8506a5c "everything with ABC Advertiser.") at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:808 808 return gdImageStringFTEx(im, brect, fg, fontlist, ptsize, angle, x, y, string, 0); (gdb) frame 3 #3 0x4048a9ef in php_imagettftext_common (ht=1078556464, return_value=0x848569c, this_ptr=0x0, return_value_used=0, tsrm_ls=0x82a2d90, mode=0, extended=0) at /tmp/php-4.4.0/ext/gd/gd.c:3104 3104 error = gdImageStringFT(im, brect, col, fontname, ptsize, angle, x, y, str); (gdb) frame 4 #4 0x4048a693 in zif_imagettftext (ht=8, return_value=0x848569c, this_ptr=0x0, return_value_used=0, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/ext/gd/gd.c:3010 3010 php_imagettftext_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, TTFTEXT_DRAW, 0); (gdb) frame 5 #5 0x40572269 in execute (op_array=0x850d228, tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/Zend/zend_execute.c:1672 1672 ((zend_internal_function *) EX(function_state).function)->handler(EX(opline)->extended_value, EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used TSRMLS_CC); ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34225&edit=1
