[php-maint] Bug#543496: php5-gd: segmentation fault in phpinfo()

Gábor Gombás gombasg at sztaki.hu
Tue Aug 25 11:30:47 UTC 2009 

Package: php5-gd
Version: 5.3.0-2
Severity: normal


Hi,

$ echo '<?php phpinfo() ?>' | php > /tmp/out
Segmentation fault

Stack trace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff59a8210 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff59a8210 in strlen () from /lib/libc.so.6
#1  0x00000000006d9a88 in format_converter (odp=0x7fffffffb500, fmt=0x7ffff4827470 "s", ap=0x7fffffffb460)
    at /tmp/buildd/php5-5.3.0/main/snprintf.c:964
#2  0x00000000006da66c in strx_printv (ccp=0x7fffffffb51c, buf=0x7ffff7fdb6a0 "\270\26\254\364\377\177", len=4294948152, 
    format=0x7ffff482746f "%s", ap=0x0) at /tmp/buildd/php5-5.3.0/main/snprintf.c:1211
#3  0x00000000006da814 in ap_php_snprintf (buf=0x7fffffffb5eb "", len=4160599712, format=0x0) at /tmp/buildd/php5-5.3.0/main/snprintf.c:1256
#4  0x00007ffff4823ae4 in zm_info_gd (zend_module=0x108e7c0) at /tmp/buildd/php5-5.3.0/ext/gd/gd.c:1296
#5  0x00000000006799c0 in _display_module_info_func (module=0xf4828818) at /tmp/buildd/php5-5.3.0/ext/standard/info.c:123
#6  0x00000000007359a5 in zend_hash_apply (ht=0x7fffffffb830, apply_func=0x6799b0 <_display_module_info_func>)
    at /tmp/buildd/php5-5.3.0/Zend/zend_hash.c:673
#7  0x000000000067ad3a in php_print_info (flag=32767) at /tmp/buildd/php5-5.3.0/ext/standard/info.c:903
#8  0x000000000067b141 in zif_phpinfo (ht=-192772072, return_value=0x1064bd8, return_value_ptr=0x7fffffffb538, this_ptr=0x0, 
    return_value_used=-16843009) at /tmp/buildd/php5-5.3.0/ext/standard/info.c:1217
#9  0x000000000077b12b in zend_do_fcall_common_helper_SPEC (execute_data=0xe34360) at /tmp/buildd/php5-5.3.0/Zend/zend_vm_execute.h:313
#10 0x0000000000754569 in execute (op_array=0x1063688) at /tmp/buildd/php5-5.3.0/Zend/zend_vm_execute.h:104
#11 0x0000000000729391 in zend_execute_scripts (type=0, retval=0x7fffffffba80, file_count=3) at /tmp/buildd/php5-5.3.0/Zend/zend.c:1188
#12 0x00000000006d5ac5 in php_execute_script (primary_file=0xe3f800) at /tmp/buildd/php5-5.3.0/main/main.c:2196
#13 0x00000000007b6b77 in main (argc=-7672, argv=0x7fffffffde10) at /tmp/buildd/php5-5.3.0/sapi/cli/php_cli.c:1188
(gdb)

Notice that zm_info_gd() seems to call ap_php_snprintf() with completely
bogus arguments.

For reference, the contents of /tmp/out from the first command above:

phpinfo()
PHP Version => 5.3.0-2

System => Linux boogie 2.6.30.5 #14 SMP PREEMPT Sun Aug 23 21:03:26 CEST 2009 x86_64
Build Date => Jul  1 2009 07:29:44
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /etc/php5/cli
Loaded Configuration File => /etc/php5/cli/php.ini
Scan this dir for additional .ini files => /etc/php5/cli/conf.d
Additional .ini files parsed => /etc/php5/cli/conf.d/gd.ini,
/etc/php5/cli/conf.d/mysql.ini,
/etc/php5/cli/conf.d/mysqli.ini,
/etc/php5/cli/conf.d/pdo.ini,
/etc/php5/cli/conf.d/pdo_mysql.ini,
/etc/php5/cli/conf.d/pdo_pgsql.ini,
/etc/php5/cli/conf.d/pgsql.ini

PHP API => 20090626
PHP Extension => 20090626
Zend Extension => 220090626
Zend Extension Build => API220090626,NTS
PHP Extension Build => API20090626,NTS
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => disabled
IPv6 Support => enabled
Registered PHP Streams => https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip  
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters => zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk


This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies


 _______________________________________________________________________


Configuration

bcmath

BCMath support => enabled

Directive => Local Value => Master Value
bcmath.scale => 0 => 0

bz2

BZip2 Support => Enabled
Stream Wrapper support => compress.bz2://
Stream Filter support => bzip2.decompress, bzip2.compress
BZip2 Version => 1.0.5, 10-Dec-2007

calendar

Calendar support => enabled

Core

PHP Version => 5.3.0-2

Directive => Local Value => Master Value
allow_call_time_pass_reference => Off => Off
allow_url_fopen => On => On
allow_url_include => Off => Off
always_populate_raw_post_data => Off => Off
arg_separator.input => & => &
arg_separator.output => & => &
asp_tags => Off => Off
auto_append_file => no value => no value
auto_globals_jit => On => On
auto_prepend_file => no value => no value
browscap => no value => no value
default_charset => no value => no value
default_mimetype => text/html => text/html
define_syslog_variables => Off => Off
disable_classes => no value => no value
disable_functions => no value => no value
display_errors => Off => Off
display_startup_errors => Off => Off
doc_root => no value => no value
docref_ext => no value => no value
docref_root => no value => no value
enable_dl => Off => Off
error_append_string => no value => no value
error_log => no value => no value
error_prepend_string => no value => no value
error_reporting => 22527 => 22527
exit_on_timeout => Off => Off
expose_php => On => On
extension_dir => /usr/lib/php5/20090626 => /usr/lib/php5/20090626
file_uploads => On => On
highlight.bg => <font style="color: #FFFFFF">#FFFFFF</font> => <font style="color: #FFFFFF">#FFFFFF</font>
highlight.comment => <font style="color: #FF8000">#FF8000</font> => <font style="color: #FF8000">#FF8000</font>
highlight.default => <font style="color: #0000BB">#0000BB</font> => <font style="color: #0000BB">#0000BB</font>
highlight.html => <font style="color: #000000">#000000</font> => <font style="color: #000000">#000000</font>
highlight.keyword => <font style="color: #007700">#007700</font> => <font style="color: #007700">#007700</font>
highlight.string => <font style="color: #DD0000">#DD0000</font> => <font style="color: #DD0000">#DD0000</font>
html_errors => Off => Off
ignore_repeated_errors => Off => Off
ignore_repeated_source => Off => Off
ignore_user_abort => Off => Off
implicit_flush => On => On
include_path => .:/usr/share/php:/usr/share/pear => .:/usr/share/php:/usr/share/pear
log_errors => On => On
log_errors_max_len => 1024 => 1024
magic_quotes_gpc => Off => Off
magic_quotes_runtime => Off => Off
magic_quotes_sybase => Off => Off
mail.add_x_header => On => On
mail.force_extra_parameters => 

Gabor

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (110, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30.5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-gd depends on:
ii  libapache2-mod-php5 [p 5.3.0-2           server-side, HTML-embedded scripti
ii  libc6                  2.9-25            GNU C Library: Shared libraries
ii  libfreetype6           2.3.9-5           FreeType 2 font engine, shared lib
ii  libgd2-xpm             2.0.36~rc1~dfsg-3 GD Graphics Library version 2
ii  libjpeg62              6b-15             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.39-1          PNG library - runtime
ii  libt1-5                5.1.2-3           Type 1 font rasterizer library - r
ii  libx11-6               2:1.2.2-1         X11 client-side library
ii  libxpm4                1:3.5.7-2         X11 pixmap library
ii  php5                   5.3.0-2           server-side, HTML-embedded scripti
ii  php5-cli [phpapi-20090 5.3.0-2           command-line interpreter for the p
ii  php5-common            5.3.0-2           Common files for packages built fr
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

php5-gd recommends no packages.

php5-gd suggests no packages.

-- no debconf information

More information about the pkg-php-maint mailing list