From: david at acz dot org
Operating system: SuSE Linux
PHP version: 4.4.0
PHP Bug Type: Reproducible crash
Bug description: imagettftext() causes PHP to crash
Description:
------------
PHP sometimes crashes when calling the PHP function imagettftext(). It
crashes because gdCacheGet() is passed and dereferences a NULL pointer.
'./configure' '--with-apxs2=/vm/apache2/bin/apxs' '--disable-debug'
'--with-zlib' '--with-bzip2' '--enable-ftp' '--with-curl'
'--enable-bcmath' '--enable-sockets' '--enable-pcntl' '--with-xml'
'--with-openssl' '--with-cdb' '--with-mcrypt' '--without-mysql'
'--with-oci8' '--enable-sigchild' '--enable-exif' '--with-gd'
'--with-jpeg-dir=/usr/local' '--with-png' '--with-freetype-dir=/usr/local'
'--with-readline'
gd
GD Support enabled
GD Version bundled (2.0.28 compatible)
FreeType Support enabled
FreeType Linkage with freetype
GIF Read Support enabled
GIF Create Support enabled
JPG Support enabled
PNG Support enabled
WBMP Support enabled
XBM Support enabled
Reproduce code:
---------------
I cannot reproduce the crash consistently enough to provide a simple
example.
Expected result:
----------------
N/A
Actual result:
--------------
(gdb) bt
#0 0x40498bbc in gdCacheGet (head=0x0, keydata=0x41feb344)
at /tmp/php-4.4.0/ext/gd/libgd/gdcache.c:101
#1 0x40497f7f in gdImageStringFTEx (im=0x85717b4, brect=0x41fec47c,
fg=3355443, fontlist=0x0, ptsize=8, angle=0, x=14, y=61,
string=0x8506a5c "everything with ABC Advertiser.", strex=0x0)
at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:868
#2 0x40497e29 in gdImageStringFT (im=0x85717b4, brect=0x41fec47c,
fg=3355443,
fontlist=0x852811c "lpfont/Arial-Roman.ttf", ptsize=8, angle=0, x=14,
y=61, string=0x8506a5c "everything with ABC Advertiser.")
at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:808
#3 0x4048a9ef in php_imagettftext_common (ht=1078556464,
return_value=0x848569c, this_ptr=0x0, return_value_used=0,
tsrm_ls=0x82a2d90, mode=0, extended=0) at
/tmp/php-4.4.0/ext/gd/gd.c:3104
#4 0x4048a693 in zif_imagettftext (ht=8, return_value=0x848569c,
this_ptr=0x0, return_value_used=0, tsrm_ls=0x82a2d90)
at /tmp/php-4.4.0/ext/gd/gd.c:3010
#5 0x40572269 in execute (op_array=0x850d228, tsrm_ls=0x82a2d90)
at /tmp/php-4.4.0/Zend/zend_execute.c:1672
#6 0x40571f9f in execute (op_array=0x843b408, tsrm_ls=0x82a2d90)
at /tmp/php-4.4.0/Zend/zend_execute.c:1716
#7 0x40571f9f in execute (op_array=0x843a8d4, tsrm_ls=0x82a2d90)
at /tmp/php-4.4.0/Zend/zend_execute.c:1716
#8 0x4056345a in zend_execute_scripts (type=8, tsrm_ls=0x82a2d90,
retval=0x0,
file_count=3) at /tmp/php-4.4.0/Zend/zend.c:938
#9 0x40538753 in php_execute_script (primary_file=0x41ff486c,
tsrm_ls=0x82a2d90) at /tmp/php-4.4.0/main/main.c:1751
#10 0x40576f88 in php_handler (r=0x82cb3e8)
at /tmp/php-4.4.0/sapi/apache2handler/sapi_apache2.c:555
#11 0x0809a6b6 in ap_run_handler (r=0x82cb3e8) at config.c:153
#12 0x0809ac88 in ap_invoke_handler (r=0x82cb3e8) at config.c:364
#13 0x0808659f in ap_process_request (r=0x82cb3e8) at http_request.c:249
#14 0x080820d9 in ap_process_http_connection (c=0x82c3ad0) at
http_core.c:251
#15 0x080a4d06 in ap_run_process_connection (c=0x82c3ad0) at
connection.c:43
(gdb) frame 0
#0 0x40498bbc in gdCacheGet (head=0x0, keydata=0x41feb344)
at /tmp/php-4.4.0/ext/gd/libgd/gdcache.c:101
101 elem = head->mru;
(gdb) frame 1
#1 0x40497f7f in gdImageStringFTEx (im=0x85717b4, brect=0x41fec47c,
fg=3355443, fontlist=0x0, ptsize=8, angle=0, x=14, y=61,
string=0x8506a5c "everything with ABC Advertiser.", strex=0x0)
at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:868
868 font = (font_t *) gdCacheGet (fontCache, &fontkey);
(gdb) frame 2
#2 0x40497e29 in gdImageStringFT (im=0x85717b4, brect=0x41fec47c,
fg=3355443,
fontlist=0x852811c "lpfont/Arial-Roman.ttf", ptsize=8, angle=0, x=14,
y=61, string=0x8506a5c "everything with ABC Advertiser.")
at /tmp/php-4.4.0/ext/gd/libgd/gdft.c:808
808 return gdImageStringFTEx(im, brect, fg, fontlist, ptsize,
angle, x, y, string, 0);
(gdb) frame 3
#3 0x4048a9ef in php_imagettftext_common (ht=1078556464,
return_value=0x848569c, this_ptr=0x0, return_value_used=0,
tsrm_ls=0x82a2d90, mode=0, extended=0) at
/tmp/php-4.4.0/ext/gd/gd.c:3104
3104 error = gdImageStringFT(im, brect, col, fontname, ptsize,
angle, x, y, str);
(gdb) frame 4
#4 0x4048a693 in zif_imagettftext (ht=8, return_value=0x848569c,
this_ptr=0x0, return_value_used=0, tsrm_ls=0x82a2d90)
at /tmp/php-4.4.0/ext/gd/gd.c:3010
3010 php_imagettftext_common(INTERNAL_FUNCTION_PARAM_PASSTHRU,
TTFTEXT_DRAW, 0);
(gdb) frame 5
#5 0x40572269 in execute (op_array=0x850d228, tsrm_ls=0x82a2d90)
at /tmp/php-4.4.0/Zend/zend_execute.c:1672
1672
((zend_internal_function *)
EX(function_state).function)->handler(EX(opline)->extended_value,
EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr,
return_value_used TSRMLS_CC);
--
Edit bug report at http://bugs.php.net/?id=34225&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34225&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=34225&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=34225&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=34225&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=34225&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=34225&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=34225&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=34225&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34225&r=support
Expected behavior: http://bugs.php.net/fix.php?id=34225&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=34225&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=34225&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=34225&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34225&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=34225&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=34225&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34225&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=34225&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=34225&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=34225&r=mysqlcfg
