When an user tries to upload a wrongly dimensioned avatar (= its dimension are outside min/max width/height ranged), phpBB still delete the previous avatar file (in /images/avatars/upload).
Moreover, phpBB doesn't delete the record in the database (phpbb_users), resulting a 404 error image. Most of the time, the affected user won't see it because its browser cached the file, but the other users will see a 404 error instead of its avatar.
Step to reproduces from a fresh phpBB installation: upload a correct avatar (90x90 px), then a wrong one with the same extension (95x95px for example): the avatar will be deleted from the disk. You need to clear the browser cache to see the 404 error, as the browser will display the cached image by default.
I carefully read and tested the phpbb/avatar/driver/upload.php file, and it looks that :
– If the file size is wrong, $file->error (line 170) isn't empty and the code quits (line 174) without overriding the existing avatar;
– But the dimensions are tested "too late" (during $file->move_file, line 227), so the old avatar is overridden (if the extensions are the same); then, the file is removed line 234. The database isn't updated (there is still a record of an avatar).