imagecreatefrom... crashes with user streams

Bug #65060	imagecreatefrom... crashes with user streams
Submitted:	2013-06-19 08:08 UTC	Modified:	2013-06-21 15:23 UTC
From:	thekid@php.net	Assigned:	thekid (profile)
Status:	Closed	Package:	GD related
PHP Version:	5.5.0RC3	OS:	gentoo
Private report:	No	CVE-ID:	None

[2013-06-19 08:08 UTC] thekid@php.net

Description:
------------
When loading images via any of the imagecreatefrom...() functions and the argument given to them resolves to a userstream, a segmentation fault occurs on Linux systems (Travis CI's Linux image, 3.2.9-gentoo). With PHP 5.4, the same code works as expected. On Windows, the same code works as expected.

See https://github.com/xp-framework/xp-framework/issues/310

Test script:
---------------
<?php
class userstream {
  public static $bytes= array();

  public function stream_open($path, $mode, $options, $opened_path) {
    sscanf($path, 'iostrr://%s', $file);
    if (!isset(self::$bytes[$file])) return false;
    $this->buffer= self::$bytes[$file];
    $this->avail= strlen($this->buffer);
    $this->length= strlen($this->buffer);
    return true;
  }

  public function stream_read($count) {
    $chunk= substr($this->buffer, 0, min($this->avail, $count));
    $this->buffer= substr($this->buffer, strlen($chunk));
    $this->avail-= strlen($chunk);
    return $chunk;
  }

  public function stream_stat() {
    return array('size' => $this->length);
  }

  public function stream_eof() {
    return $this->avail <= 0;
  }

  public function stream_close() {
    $this->avail= -1;
  }
}

userstream::$bytes['test.gif']= base64_decode('R0lGODdhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=');
stream_wrapper_register('iostrr', 'userstream');

var_dump(imagecreatefromgif('iostrr://test.gif'));


Expected result:
----------------
resource(6) of type (gd)

Actual result:
--------------
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x00005555558b2d77 in _php_stream_seek (stream=0x7fffefc6d6b0, offset=-1, whence=1)
    at /home/friebe/php/php-src/main/streams/streams.c:1273
1273                    fflush(stream->stdiocast);
(gdb) bt
#0  0x00005555558b2d77 in _php_stream_seek (stream=0x7fffefc6d6b0, offset=-1, whence=1)
    at /home/friebe/php/php-src/main/streams/streams.c:1273
#1  0x00005555558b4fa0 in stream_cookie_seeker (cookie=<optimized out>, position=0x7fffff7ff458,
    whence=<optimized out>) at /home/friebe/php/php-src/main/streams/cast.c:117
#2  0x00007ffff6571fb6 in ?? () from /lib64/libc.so.6
#3  0x00007ffff657d1e5 in _IO_file_sync () from /lib64/libc.so.6
#4  0x00007ffff65718e1 in fflush () from /lib64/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-19 08:35 UTC] pajoye@php.net

g:\php-sdk\php-master\vc11\x86\php-src-clean>g:\temp\5.5.0rc3-nts\php -d 
extension_dir=g:\temp\5.5.0rc3-nts\ext\ -d extension=php_gd2.dll 65060.php

Warning: imagecreatefromgif(): userstream::stream_cast is not implemented! in 
G:\php-sdk\php-master\vc11\x86\php-src-clean\65060.php on line 38
resource(7) of type (gd)

do you use system's gd or bundled one? Can you try with the bundled one please 
(if system's is used).

Which Distro do you use?

[2013-06-19 08:38 UTC] pajoye@php.net

-Operating System: Linux +Operating System: gentoo

[2013-06-19 08:38 UTC] pajoye@php.net

should have read more carefully :)

So only the system or bundled gd question remains :)

[2013-06-19 09:00 UTC] thekid@php.net

> system or bundled gd question remains

friebe@xpsrv ~/php/php-src $ ./sapi/cli/php -i|grep -i gd
Configure Command =>  './configure'  '--with-gd'
gd
GD Support => enabled
GD Version => bundled (2.1.0 compatible)
gd.jpeg_ignore_warning => 0 => 0

[2013-06-21 05:31 UTC] pajoye@php.net

==5774== Memcheck, a memory error detector
==5774== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==5774== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright 
info
==5774== Command: ./sapi/cli/php stream.php
==5774== 
==5774== Stack overflow in thread 1: can't grow stack to 0xbe2c6d8c

weird.

[2013-06-21 05:37 UTC] pajoye@php.net

Program received signal SIGSEGV, Segmentation fault.
0x081d7e6e in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
1273			fflush(stream->stdiocast);

[2013-06-21 05:38 UTC] pajoye@php.net

and the bt, which confirms an infinite loop there:

(gdb) bt
#0  0x081d7e6e in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
#1  0x081da09e in stream_cookie_seeker (cookie=0xb7d60efc, position=0xbf800044, 
whence=1) at /home/pierre/repo/phpgit/php-src-clean/main/streams/cast.c:109
#2  0xb7df9e99 in _IO_cookie_seek (fp=0x84f4420, offset=-1, dir=1) at 
iofopncook.c:87
#3  0xb7e054ae in _IO_new_file_sync (fp=0x84f4420) at fileops.c:913
#4  0xb7df9810 in _IO_fflush (fp=0x84f4420) at iofflush.c:43
#5  0x081d7e76 in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
#6  0x081da09e in stream_cookie_seeker (cookie=0xb7d60efc, position=0xbf8004e0, 
whence=1) at /home/pierre/repo/phpgit/php-src-clean/main/streams/cast.c:109
#7  0xb7df9e99 in _IO_cookie_seek (fp=0x84f4420, offset=-1, dir=1) at 
iofopncook.c:87
#8  0xb7e054ae in _IO_new_file_sync (fp=0x84f4420) at fileops.c:913
#9  0xb7df9810 in _IO_fflush (fp=0x84f4420) at iofflush.c:43
#10 0x081d7e76 in _php_stream_seek (stream=0xb7d60efc, offset=-1, whence=1) at 
/home/pierre/repo/phpgit/php-src-clean/main/streams/streams.c:1273
#11 0x081da09e in stream_cookie_seeker (cookie=0xb7d60efc, position=0xbf80097c, 
whence=1) at /home/pierre/repo/phpgit/php-src-clean/main/streams/cast.c:109
#12 0xb7df9e99 in _IO_cookie_seek (fp=0x84f4420, offset=-1, dir=1) at 
iofopncook.c:87
#13 0xb7e054ae in _IO_new_file_sync (fp=0x84f4420) at fileops.c:913
...

[2013-06-21 12:11 UTC] remi@php.net

-Status: Open +Status: Closed

[2013-06-21 15:23 UTC] thekid@php.net

-Assigned To: +Assigned To: thekid

[2013-06-23 22:25 UTC] stas@php.net

It'd be nice also to include a test for the fix.