iliaa Thu Apr 3 19:29:37 2003 EDT Modified files: (Branch: PHP_4_3) /php4 TODO_SEGFAULTS Log: Fixed segv as well as info about new segvs in gd. Index: php4/TODO_SEGFAULTS diff -u php4/TODO_SEGFAULTS:1.1.2.22 php4/TODO_SEGFAULTS:1.1.2.23 --- php4/TODO_SEGFAULTS:1.1.2.22 Thu Apr 3 15:07:40 2003 +++ php4/TODO_SEGFAULTS Thu Apr 3 19:29:37 2003 @@ -9,10 +9,11 @@ exif_imagetype,exif_thumbnail (Rasmus) dbase_open (Rasmus) array_pad (Rasmus) - str_repeat (Ilia) setlocale (Rasmus) unregister_tick_function (Rasmus) bcsub (Rasmus) + str_repeat (Ilia) + imagecopyresized (Ilia) mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi) xml_parser_create (Moriyoshi) ob_start (Sascha) @@ -26,6 +27,7 @@ mb_strcut('', 2147483647); (2) chunk_split (3) socket_select (4) + php_imagepolygon (5) (1) heap corruption, mostly visible in malloc-related calls. Whether you see this or not might depend on your libc/compiler. Hard to track down, @@ -74,7 +76,8 @@ echo dbase_open | php do_crash.txt - +(5) integer overflow inside php_imagepolygon and possible subsequent + integer overflows inside gdlib's gdImageFilledPolygon(). Ammendment 1.
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php