#38212 [NEW]: Seg Fault on invalid imagecreatefromgd2part() parameters

[seth at pricepages dot org]

From:             seth at pricepages dot org
Operating system: Mac 10.4
PHP version:      5.1.4
PHP Bug Type:     Reproducible crash
Bug description:  Seg Fault on invalid imagecreatefromgd2part() parameters

Description:
------------
A call to imagecreatefromgd2part() with invalid parameters 
(a negative width) causes it to request a negative sized 
chunk of memory, and therefore crash.

Reproduce code:
---------------
<?php
//Image file provided on request
$im = imagecreatefromgd2part('test.gd2', 0,0, -25,100);
?>

Actual result:
--------------
(gdb) bt
#0  0xffff8660 in ___bzero () at /System/Library/Frameworks/
System.framework/PrivateHeaders/ppc/cpu_capabilities.h:187
#1  0x0223a6b8 in _ecalloc (nmemb=19935848, size=4294967247, 
__zend_filename=0x2345654 "/usr/local/php/php-5.1.4/ext/gd/
libgd/gd.c", __zend_lineno=135, __zend_orig_filename=0x0, 
__zend_orig_lineno=19935848) at /usr/local/php/php-5.1.4/
Zend/zend_alloc.c:325
#2  0x0207691c in php_gd_gdImageCreate (sx=-25, sy=125) at /
usr/local/php/php-5.1.4/ext/gd/libgd/gd.c:135
#3  0x0208178c in php_gd_gdImageCreateFromGd2PartCtx 
(in=0x11fee18, srcx=0, srcy=425, w=-25, h=125) at /usr/
local/php/php-5.1.4/ext/gd/libgd/gd_gd2.c:447
#4  0x02081dfc in php_gd_gdImageCreateFromGd2Part 
(inFile=0x1303268, srcx=0, srcy=425, w=-25, h=125) at /usr/
local/php/php-5.1.4/ext/gd/libgd/gd_gd2.c:405
#5  0x0206c700 in _php_image_create_from (ht=19959208, 
return_value=0x11fd368, return_value_ptr=0xf, this_ptr=0x5, 
return_value_used=0, image_type=10, tn=0x234530c "GD2", 
func_p=0x2081dc0 <php_gd_gdImageCreateFromGd2Part>, 
ioctx_func_p=0x20816f0 <php_gd_gdImageCreateFromGd2PartCtx>) 
at /usr/local/php/php-5.1.4/ext/gd/gd.c:1628
#6  0x0206c80c in zif_imagecreatefromgd2part (ht=19935848, 
return_value=0xffffffcf, return_value_ptr=0xf, this_ptr=0x5, 
return_value_used=0) at /usr/local/php/php-5.1.4/ext/gd/
gd.c:1750
#7  0x02279f94 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfffd878) at /usr/local/php/php-5.1.4/Zend/
zend_vm_execute.h:200
#8  0x02279788 in execute (op_array=0x1148c58) at /usr/
local/php/php-5.1.4/Zend/zend_vm_execute.h:92


-- 
Edit bug report at http://bugs.php.net/?id=38212&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=38212&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=38212&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=38212&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38212&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=38212&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38212&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38212&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38212&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38212&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38212&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=38212&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=38212&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38212&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38212&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38212&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38212&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38212&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38212&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38212&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38212&r=mysqlcfg