Debian Bug report logs - #540367
php5-gd: libapache2-mod-php5 > phpinfo > gd ... apache child segfault

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Th. Drillich" <th@drillich.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5-gd: libapache2-mod-php5 > phpinfo > gd ... apache child segfault

Date: Fri, 07 Aug 2009 16:24:31 +0200

[Message part 1 (text/plain, inline)]

Package: php5-gd
Version: 5.3.0-2
Severity: grave
Justification: renders package unusable

On an apache2 server using libapache2-mod-php5 calling "phpinfo();" causes a
segfault if gd is enabled, if disabled in gd.ini it returns page.
A backtrace should be attached.

btw. I'm using php-5.3.0-systzdata-v7.patch to get around bug 535770.

cu thomas
-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (250, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29.1-rt8-4.03-st20g5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-gd depends on:
ii  libapache2-mod-php5 [p 5.3.0-2           server-side, HTML-embedded scripti
ii  libc6                  2.9-12            GNU C Library: Shared libraries
ii  libfreetype6           2.3.9-4.1         FreeType 2 font engine, shared lib
ii  libgd2-xpm             2.0.36~rc1~dfsg-3 GD Graphics Library version 2
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.38-1          PNG library - runtime
ii  libt1-5                5.1.2-3           Type 1 font rasterizer library - r
ii  libx11-6               2:1.2.2-1         X11 client-side library
ii  libxpm4                1:3.5.7-2         X11 pixmap library
ii  php5                   5.3.0-2           server-side, HTML-embedded scripti
ii  php5-cgi [phpapi-20090 5.3.0-2           server-side, HTML-embedded scripti
ii  php5-cli [phpapi-20090 5.3.0-2           command-line interpreter for the p
ii  php5-common            5.3.0-2           Common files for packages built fr
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

php5-gd recommends no packages.

php5-gd suggests no packages.

-- no debconf information

[php-5.3-gd.bug-backtrace.txt (text/plain, attachment)]

Message #10 received at 540367@bugs.debian.org (full text, mbox, reply):

From: Thomas Drillich <th@drillich.com>

To: 540367@bugs.debian.org

Subject: Re: Bug#540367: Acknowledgement (php5-gd: libapache2-mod-php5 > phpinfo > gd ... apache child segfault)

Date: Sat, 8 Aug 2009 18:35:16 +0200

[Message part 1 (text/plain, inline)]

Hi,

this is really a stupid bug, the guy who designed gd_compat.[hc]
expected's that sizeof(int) == sizeof(const char*).
So he declared the gdJpegGetVersionString() as returns int instead of correctly
returning const char*. 
So all 64-bit systems must crash at this point, cause int's are 4bytes and pointer's are 8 bytes on those systems.

-- 
mit freundlichem Gruss -- regards

Thomas Drillich

[php-5.3.0-gdJpegGetVersionString_returns_int.patch (text/x-patch, attachment)]

Message #15 received at 540367@bugs.debian.org (full text, mbox, reply):

From: Thomas Drillich <th@drillich.com>

To: 540367@bugs.debian.org

Subject: Bug#540367

Date: Sat, 8 Aug 2009 18:36:57 +0200

I'd registered this bug on http://bugs.php.net/bug.php?id=49193 too

-- 
mit freundlichem Gruss -- regards

Thomas Drillich

Message #20 received at 540367@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: th@drillich.com, 540367@bugs.debian.org

Subject: Re: [php-maint] Bug#540367:

Date: Sat, 8 Aug 2009 22:08:00 +0200

[Message part 1 (text/plain, inline)]

hi thomas,

On Sat, Aug 08, 2009 at 06:36:57PM +0200, Thomas Drillich wrote:
> I'd registered this bug on http://bugs.php.net/bug.php?id=49193 too

thanks for the extra investigation.  i'm on vacation right now but when i'm
back i'll make sure that a fix gets in (or an updated 5.3 release if they
do one during this time which sounds likely).


	sean

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 540367@bugs.debian.org (full text, mbox, reply):

From: Thomas Drillich <th@drillich.com>

To: 540367@bugs.debian.org

Subject: Fwd: Bug #49193 [Opn->Csd]: gd_compat > gdJpegGetVersionString should return const char* not int

Date: Mon, 10 Aug 2009 15:25:46 +0200

[Message part 1 (text/plain, inline)]

Hi,

bug should be fixed after svn update of php source in debian.

----------  Weitergeleitete Nachricht  ----------

Betreff: Bug #49193 [Opn->Csd]: gd_compat > gdJpegGetVersionString should return const char* not int
Datum: Sonntag 09 August 2009
Von: PHP Bug Database <php-bugs@lists.php.net>
An: th@drillich.com

ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at
http://bugs.php.net/?id=49193&edit=2


 ID:               49193
 Updated by:       iliaa@php.net
 Reported By:      th at drillich dot com
-Status:           Open
+Status:           Closed
 Bug Type:         GD related
 Operating System: All 64Bit systems
 PHP Version:      5.3.0
 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2009-08-09 13:16:21] svn@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286949
Log: MFB: Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact
identifies wrong type in declaration)

------------------------------------------------------------------------

[2009-08-09 13:15:46] svn@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286948
Log: Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact
identifies wrong type in declaration)

------------------------------------------------------------------------

[2009-08-08 16:49:28] th at drillich dot com

Here's the patch which fixes the bug:

---
php5-5.3.0/ext/gd/libgd/gd_compat.hgdJpegGetVersionString_returnsInt
2009-08-07 19:09:40.000000000 +0200
+++ php5-5.3.0/ext/gd/libgd/gd_compat.h	2009-08-07 19:09:54.000000000
+0200
@@ -8,7 +8,7 @@
 #endif
 
 const char * gdPngGetVersionString();
-int gdJpegGetVersionString();
+const char * gdJpegGetVersionString();
 int gdJpegGetVersionInt();
 int overflow2(int a, int b);
 
---
php5-5.3.0/ext/gd/libgd/gd_compat.c.gdJpegGetVersionString_returnsInt
2009-08-07 19:09:07.000000000 +0200
+++ php5-5.3.0/ext/gd/libgd/gd_compat.c	2009-08-07 19:10:11.000000000
+0200
@@ -14,7 +14,7 @@
 	return JPEG_LIB_VERSION;
 }
 
-int gdJpegGetVersionString()
+const char * gdJpegGetVersionString()
 {
 	switch(JPEG_LIB_VERSION) {
 		case 62:

------------------------------------------------------------------------

[2009-08-07 17:14:16] th at drillich dot com

Description:
------------
In gd_compat.[hc]

gdJpegGetVersionString() is declared as returning int not const
char*, but sizeof(int) != sizeof(const char*) on some systems like
here sizeof(int) == 4 and sizeof(const char*) == 8.

this causes a segfault on phpinfo().
cu thomas

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f996e9c3740 (LWP 17235)]
strlen () at ../sysdeps/x86_64/strlen.S:48
48      ../sysdeps/x86_64/strlen.S: No such file or directory.
        in ../sysdeps/x86_64/strlen.S
Current language:  auto; currently asm
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:48
#1  0x00007f9969a207c8 in format_converter (odp=0x7fff76a001f0,
fmt=0x7f9964f364d0 "s", ap=0x7fff76a00150) at
src/php5/php5-5.3.0/main/snprintf.c:964
#2  0x00007f9969a213ac in strx_printv (ccp=0x7fff76a0020c,
buf=0x7f996e9c36f0 "(X\206n\231\177", len=1990197800,
format=0x7f9964f364cf "%s", ap=0x0)
    at src/php5/php5-5.3.0/main/snprintf.c:1211
#3  0x00007f9969a21554 in ap_php_snprintf (buf=0x7fff76a002db "",
len=1855731440, format=0x0) at
src/php5/php5-5.3.0/main/snprintf.c:1256
#4  0x00007f9964f32b44 in zm_info_gd (zend_module=0x13c2bb0) at
src/php5/php5-5.3.0/ext/gd/gd.c:1296
#5  0x00007f99699c06e0 in _display_module_info_func
(module=0x64f37878) at src/php5/php5-5.3.0/ext/standard/info.c:123
#6  0x00007f9969a7c6d5 in zend_hash_apply (ht=0x7fff76a00520,
apply_func=0x7f99699c06d0 <_display_module_info_func>)
    at src/php5/php5-5.3.0/Zend/zend_hash.c:673
#7  0x00007f99699c1a5a in php_print_info (flag=32767) at
src/php5/php5-5.3.0/ext/standard/info.c:903
#8  0x00007f99699c1e61 in zif_phpinfo (ht=1693677688,
return_value=0x130f858, return_value_ptr=0x7fff76a00228,
this_ptr=0x0, return_value_used=-16843009)
    at src/php5/php5-5.3.0/ext/standard/info.c:1217
#9  0x00007f9969ac1e5b in zend_do_fcall_common_helper_SPEC
(execute_data=0x7f996a17c580) at
src/php5/php5-5.3.0/Zend/zend_vm_execute.h:313
#10 0x00007f9969a9b299 in execute (op_array=0x130eea8) at
src/php5/php5-5.3.0/Zend/zend_vm_execute.h:104
#11 0x00007f9969a700c1 in zend_execute_scripts (type=0,
retval=0x7fff76a00770, file_count=3) at
src/php5/php5-5.3.0/Zend/zend.c:1188
#12 0x00007f9969a1c805 in php_execute_script (primary_file=Cannot
access memory at address 0x8000769ff690
) at src/php5/php5-5.3.0/main/main.c:2196
#13 0x00007f9969afa775 in php_handler (r=0x43c055) at
src/php5/php5-5.3.0/sapi/apache2handler/sapi_apache2.c:663
#14 0x000000000043b8d3 in ap_run_handler ()
#15 0x000000000043ee9f in ap_invoke_handler ()
#16 0x000000000044c11e in ap_process_request ()
#17 0x0000000000449158 in ?? ()
#18 0x0000000000442dd3 in ap_run_process_connection ()
#19 0x0000000000450720 in ?? ()
#20 0x0000000000450a38 in ?? ()
#21 0x0000000000451050 in ap_mpm_run ()
#22 0x0000000000428425 in main ()
(gdb)



------------------------------------------------------------------------




-------------------------------------------------------------
-- 
mit freundlichem Gruss -- regards

Thomas Drillich
Heugasse 4 / D-55116 Mainz / Germany
fon +49 (0)6131 570 26 21
fax +49 (0)180 506 033 437 443
th@drillich.com

[Bug #49193 [Opn->Csd]: gd_compat > gdJpegGetVersionString should return const char* not int (text/plain, inline)]

ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at
http://bugs.php.net/?id=49193&edit=2


 ID:               49193
 Updated by:       iliaa@php.net
 Reported By:      th at drillich dot com
-Status:           Open
+Status:           Closed
 Bug Type:         GD related
 Operating System: All 64Bit systems
 PHP Version:      5.3.0
 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2009-08-09 13:16:21] svn@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286949
Log: MFB: Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact
identifies wrong type in declaration)

------------------------------------------------------------------------

[2009-08-09 13:15:46] svn@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=286948
Log: Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact
identifies wrong type in declaration)

------------------------------------------------------------------------

[2009-08-08 16:49:28] th at drillich dot com

Here's the patch which fixes the bug:

---
php5-5.3.0/ext/gd/libgd/gd_compat.hgdJpegGetVersionString_returnsInt
2009-08-07 19:09:40.000000000 +0200
+++ php5-5.3.0/ext/gd/libgd/gd_compat.h	2009-08-07 19:09:54.000000000
+0200
@@ -8,7 +8,7 @@
 #endif
 
 const char * gdPngGetVersionString();
-int gdJpegGetVersionString();
+const char * gdJpegGetVersionString();
 int gdJpegGetVersionInt();
 int overflow2(int a, int b);
 
---
php5-5.3.0/ext/gd/libgd/gd_compat.c.gdJpegGetVersionString_returnsInt
2009-08-07 19:09:07.000000000 +0200
+++ php5-5.3.0/ext/gd/libgd/gd_compat.c	2009-08-07 19:10:11.000000000
+0200
@@ -14,7 +14,7 @@
 	return JPEG_LIB_VERSION;
 }
 
-int gdJpegGetVersionString()
+const char * gdJpegGetVersionString()
 {
 	switch(JPEG_LIB_VERSION) {
 		case 62:

------------------------------------------------------------------------

[2009-08-07 17:14:16] th at drillich dot com

Description:
------------
In gd_compat.[hc]

gdJpegGetVersionString() is declared as returning int not const
char*, but sizeof(int) != sizeof(const char*) on some systems like
here sizeof(int) == 4 and sizeof(const char*) == 8.

this causes a segfault on phpinfo().
cu thomas

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f996e9c3740 (LWP 17235)]
strlen () at ../sysdeps/x86_64/strlen.S:48
48      ../sysdeps/x86_64/strlen.S: No such file or directory.
        in ../sysdeps/x86_64/strlen.S
Current language:  auto; currently asm
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:48
#1  0x00007f9969a207c8 in format_converter (odp=0x7fff76a001f0,
fmt=0x7f9964f364d0 "s", ap=0x7fff76a00150) at
src/php5/php5-5.3.0/main/snprintf.c:964
#2  0x00007f9969a213ac in strx_printv (ccp=0x7fff76a0020c,
buf=0x7f996e9c36f0 "(X\206n\231\177", len=1990197800,
format=0x7f9964f364cf "%s", ap=0x0)
    at src/php5/php5-5.3.0/main/snprintf.c:1211
#3  0x00007f9969a21554 in ap_php_snprintf (buf=0x7fff76a002db "",
len=1855731440, format=0x0) at
src/php5/php5-5.3.0/main/snprintf.c:1256
#4  0x00007f9964f32b44 in zm_info_gd (zend_module=0x13c2bb0) at
src/php5/php5-5.3.0/ext/gd/gd.c:1296
#5  0x00007f99699c06e0 in _display_module_info_func
(module=0x64f37878) at src/php5/php5-5.3.0/ext/standard/info.c:123
#6  0x00007f9969a7c6d5 in zend_hash_apply (ht=0x7fff76a00520,
apply_func=0x7f99699c06d0 <_display_module_info_func>)
    at src/php5/php5-5.3.0/Zend/zend_hash.c:673
#7  0x00007f99699c1a5a in php_print_info (flag=32767) at
src/php5/php5-5.3.0/ext/standard/info.c:903
#8  0x00007f99699c1e61 in zif_phpinfo (ht=1693677688,
return_value=0x130f858, return_value_ptr=0x7fff76a00228,
this_ptr=0x0, return_value_used=-16843009)
    at src/php5/php5-5.3.0/ext/standard/info.c:1217
#9  0x00007f9969ac1e5b in zend_do_fcall_common_helper_SPEC
(execute_data=0x7f996a17c580) at
src/php5/php5-5.3.0/Zend/zend_vm_execute.h:313
#10 0x00007f9969a9b299 in execute (op_array=0x130eea8) at
src/php5/php5-5.3.0/Zend/zend_vm_execute.h:104
#11 0x00007f9969a700c1 in zend_execute_scripts (type=0,
retval=0x7fff76a00770, file_count=3) at
src/php5/php5-5.3.0/Zend/zend.c:1188
#12 0x00007f9969a1c805 in php_execute_script (primary_file=Cannot
access memory at address 0x8000769ff690
) at src/php5/php5-5.3.0/main/main.c:2196
#13 0x00007f9969afa775 in php_handler (r=0x43c055) at
src/php5/php5-5.3.0/sapi/apache2handler/sapi_apache2.c:663
#14 0x000000000043b8d3 in ap_run_handler ()
#15 0x000000000043ee9f in ap_invoke_handler ()
#16 0x000000000044c11e in ap_process_request ()
#17 0x0000000000449158 in ?? ()
#18 0x0000000000442dd3 in ap_run_process_connection ()
#19 0x0000000000450720 in ?? ()
#20 0x0000000000450a38 in ?? ()
#21 0x0000000000451050 in ap_mpm_run ()
#22 0x0000000000428425 in main ()
(gdb)



------------------------------------------------------------------------

Message #34 received at 540367-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: 540367-done@bugs.debian.org

Subject: Re: Bug#540367: gd type issue

Date: Mon, 11 Jan 2010 13:00:18 -0600

Source: php5
Source-Version: 5.3.1-1

Hi,

PHP 5.3.1 which fixes this issue has recently been uploaded to
experimental. I'm therefore closing this report.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Send a report that this bug log contains spam.