From: seth at pricepages dot org Operating system: Mac 10.4 PHP version: 5.1.4 PHP Bug Type: Reproducible crash Bug description: Seg Fault on invalid imagecreatefromgd2part() parameters
Description: ------------ A call to imagecreatefromgd2part() with invalid parameters (a negative width) causes it to request a negative sized chunk of memory, and therefore crash. Reproduce code: --------------- <?php //Image file provided on request $im = imagecreatefromgd2part('test.gd2', 0,0, -25,100); ?> Actual result: -------------- (gdb) bt #0 0xffff8660 in ___bzero () at /System/Library/Frameworks/ System.framework/PrivateHeaders/ppc/cpu_capabilities.h:187 #1 0x0223a6b8 in _ecalloc (nmemb=19935848, size=4294967247, __zend_filename=0x2345654 "/usr/local/php/php-5.1.4/ext/gd/ libgd/gd.c", __zend_lineno=135, __zend_orig_filename=0x0, __zend_orig_lineno=19935848) at /usr/local/php/php-5.1.4/ Zend/zend_alloc.c:325 #2 0x0207691c in php_gd_gdImageCreate (sx=-25, sy=125) at / usr/local/php/php-5.1.4/ext/gd/libgd/gd.c:135 #3 0x0208178c in php_gd_gdImageCreateFromGd2PartCtx (in=0x11fee18, srcx=0, srcy=425, w=-25, h=125) at /usr/ local/php/php-5.1.4/ext/gd/libgd/gd_gd2.c:447 #4 0x02081dfc in php_gd_gdImageCreateFromGd2Part (inFile=0x1303268, srcx=0, srcy=425, w=-25, h=125) at /usr/ local/php/php-5.1.4/ext/gd/libgd/gd_gd2.c:405 #5 0x0206c700 in _php_image_create_from (ht=19959208, return_value=0x11fd368, return_value_ptr=0xf, this_ptr=0x5, return_value_used=0, image_type=10, tn=0x234530c "GD2", func_p=0x2081dc0 <php_gd_gdImageCreateFromGd2Part>, ioctx_func_p=0x20816f0 <php_gd_gdImageCreateFromGd2PartCtx>) at /usr/local/php/php-5.1.4/ext/gd/gd.c:1628 #6 0x0206c80c in zif_imagecreatefromgd2part (ht=19935848, return_value=0xffffffcf, return_value_ptr=0xf, this_ptr=0x5, return_value_used=0) at /usr/local/php/php-5.1.4/ext/gd/ gd.c:1750 #7 0x02279f94 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd878) at /usr/local/php/php-5.1.4/Zend/ zend_vm_execute.h:200 #8 0x02279788 in execute (op_array=0x1148c58) at /usr/ local/php/php-5.1.4/Zend/zend_vm_execute.h:92 -- Edit bug report at http://bugs.php.net/?id=38212&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=38212&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=38212&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=38212&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=38212&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=38212&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=38212&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=38212&r=needscript Try newer version: http://bugs.php.net/fix.php?id=38212&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=38212&r=support Expected behavior: http://bugs.php.net/fix.php?id=38212&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=38212&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=38212&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=38212&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38212&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=38212&r=dst IIS Stability: http://bugs.php.net/fix.php?id=38212&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=38212&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=38212&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=38212&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=38212&r=mysqlcfg