php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62564 Extending MessageFormatter and adding property causes crash
Submitted: 2012-07-14 12:34 UTC Modified: 2012-07-14 14:59 UTC
From: franssen dot roland at gmail dot com Assigned: stas (profile)
Status: Closed Package: I18N and L10N related
PHP Version: 5.4.4 OS: Ubuntu
Private report: No CVE-ID: None
 [2012-07-14 12:34 UTC] franssen dot roland at gmail dot com
Description:
------------
I get an HTTP Aborted status code when accessing a property defined in a subclass of \MessageFormatter. It's really weird behavior.. please see the test scripts.

Test script:
---------------
<?php
namespace Foo;
class Test1 extends \MessageFormatter { }
class Test2 extends \MessageFormatter { public $foo = 'foo'; }
class MessageFormatter extends \MessageFormatter {
    //public $foo = 'foo';
}
$test1 = new Test1('en_US', '{0}');
$test2 = new Test2('en_US', '{0}');

// CASE 1
var_dump($test1);

// CASE 2
var_dump($test2);

// CASE 3
var_dump($test1->getPattern(), $test2->getPattern());

// CASE 4
var_dump($test2->foo);

Expected result:
----------------
// CASE 1
object(Foo\Test1)#1 (0) { } 

// CASE 2
object(Foo\Test2)#1 (0) { } 

// CASE 3
string(3) "{0}" string(3) "{0}" 

// CASE 4
string(3) "foo"

Actual result:
--------------
// CASE 1
object(Foo\Test1)#1 (0) { } 

// CASE 2
HTTP Aborted (Connection was reinitialized)

// CASE 3
string(3) "{0}" string(3) "{0}" 

// CASE 4
HTTP Aborted (Connection was reinitialized)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-14 13:44 UTC] felipe@php.net
Here's a minimal test case and backtrace:

<?php

class Test extends MessageFormatter { public $foo = 'foo'; /* <- causes the crash */ }
$test = new Test('en_US', '{0}');
var_dump($test);

?>

Program received signal SIGSEGV, Segmentation fault.
0x00000000008a9a1f in rebuild_object_properties (zobj=0x7ffff7fd4af8) at /home/felipe/dev/php-src/Zend/zend_object_handlers.c:71
71					    zobj->properties_table[prop_info->offset]) {
(gdb) p pos
$12 = (HashPosition) 0x7ffff7fd5230
(gdb) p *pos
$13 = {h = 6385231017, nKeyLength = 4, pData = 0x7ffff7fd52d8, pDataPtr = 0x0, pListNext = 0x0, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = 0x7ffff7fd5278 "foo"}
(gdb) p prop_info->offset
$14 = 0
(gdb) p zobj->properties_table
$15 = (zval **) 0x0
 [2012-07-14 13:44 UTC] felipe@php.net
-Summary: Apache crashes with subclass of \MessageFormatter +Summary: Extending MessageFormatter and adding property causes crash -Status: Open +Status: Assigned -Package: Apache2 related +Package: I18N and L10N related -Assigned To: +Assigned To: stas
 [2012-07-14 14:38 UTC] felipe@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8b093dee214c1bf02e06eddf512c4a11ed028b3a
Log: - Fixed bug #62564 (Extending MessageFormatter and adding property causes crash)
 [2012-07-14 14:59 UTC] felipe@php.net
-Status: Assigned +Status: Closed
 [2012-07-14 14:59 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I've fixed this case, but as this crash wasn't caused by a particular issue in Intl, I've tested across other PHP classes (using my fuzzer) and found the similar issues. I'll open a new bug report about them.

Thanks.
 [2014-10-07 23:23 UTC] stas@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8b093dee214c1bf02e06eddf512c4a11ed028b3a
Log: - Fixed bug #62564 (Extending MessageFormatter and adding property causes crash)
 [2014-10-07 23:34 UTC] stas@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8b093dee214c1bf02e06eddf512c4a11ed028b3a
Log: - Fixed bug #62564 (Extending MessageFormatter and adding property causes crash)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC