ID: 43790
Updated by: [EMAIL PROTECTED]
Reported By: wccoder at gmail dot com
-Status: Feedback
+Status: Closed
Bug Type: GD related
Operating System: Fedora Core 7, x64
PHP Version: 5.2.5
Assigned To: pajoye
Previous Comments:
------------------------------------------------------------------------
[2008-01-09 02:02:00] [EMAIL PROTECTED]
Fixed in 5.3, 5.2 and HEAD. Thanks again for your report!
------------------------------------------------------------------------
[2008-01-09 01:30:43] [EMAIL PROTECTED]
Actually, it can be NULL somehow (reading the ft code). I still wonder
if it should not have some default value. I still like to have the font
though (faster :)
------------------------------------------------------------------------
[2008-01-09 01:18:21] [EMAIL PROTECTED]
Please send me the font you used for the crash. It may be fixed in
freetype instead, this structure is not supposed to be empty (lookup in
the worst case).
pierre.dev at gmail.com
Thanks for your report!
------------------------------------------------------------------------
[2008-01-09 00:49:59] wccoder at gmail dot com
Description:
------------
ext/gd/libgd/gdft.c:950
if (font->face->charmap->encoding == FT_ENCODING_MS_SYMBOL &&
strcmp(font->face->family_name, "Symbol") == 0) {
A crafted .ttf file with a null font->face->family_name causes strcmp
to attempt to access memory out of bounds and cores. I have a sample
.ttf file I can send.
Reproduce code:
---------------
<?php
$size = imagettfbbox(10, 0, 'crafted_font.ttf', 'steve');
?>
Expected result:
----------------
The php process cores.
Actual result:
--------------
#0 0x000000356c876bd0 in strcmp () from /lib64/libc.so.6
#1 0x00000000004bc5b3 in php_gd_gdImageStringFTEx (im=0x0,
brect=0x7fffbce07cc0, fg=-1, fontlist=0xba5b80 "shifter_3042_4.ttf",
ptsize=10, angle=0, x=-1, y=-1, string=0xba8fb8 "steve", strex=0x0)
at /home/wccoder/build/php-5.2.5/ext/gd/libgd/gdft.c:953
#2 0x00000000004bbe2b in php_gd_gdImageStringFT (im=0x0,
brect=0x7fffbce07cc0, fg=-1, fontlist=0xba5b80 "shifter_3042_4.ttf",
ptsize=10, angle=0, x=-1, y=-1, string=0xba8fb8 "steve") at
/home/wccoder/build/php-5.2.5/ext/gd/libgd/gdft.c:769
#3 0x00000000004a3d44 in php_imagettftext_common (ht=<value optimized
out>, return_value=0xba73f8,
return_value_ptr=<value optimized out>, this_ptr=<value optimized
out>, return_value_used=<value optimized out>,
mode=<value optimized out>, extended=0) at
/home/wccoder/build/php-5.2.5/ext/gd/gd.c:4303
#4 0x00000000004a3de6 in zif_imagettfbbox (ht=0,
return_value=0x740fa0, return_value_ptr=0x7fffbce077d0,
this_ptr=0x356cb4b760,
return_value_used=-1) at
/home/wccoder/build/php-5.2.5/ext/gd/gd.c:4199
#5 0x0000000000665f1b in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffbce07f40)
at /home/wccoder/build/php-5.2.5/Zend/zend_vm_execute.h:200
#6 0x0000000000665013 in execute (op_array=0xba6d58) at
/home/wccoder/build/php-5.2.5/Zend/zend_vm_execute.h:92
#7 0x0000000000647013 in zend_execute_scripts (type=8,
retval=0xbd8f80, file_count=3)
at /home/wccoder/build/php-5.2.5/Zend/zend.c:1134
#8 0x000000000060776b in php_execute_script
(primary_file=0x7fffbce0a5b0) at
/home/wccoder/build/php-5.2.5/main/main.c:2004
#9 0x00000000006c1e42 in main (argc=3, argv=0x7fffbce0a7b8) at
/home/wccoder/build/php-5.2.5/sapi/cli/php_cli.c:1140
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=43790&edit=1
