|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-04 03:06 UTC] stas@php.net
-PHP Version: 7.0.12
+PHP Version: 5.6.27
[2016-11-04 06:01 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2016-11-04 06:01 UTC] stas@php.net
[2016-11-11 12:50 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed
+Status: Assigned
-PHP Version: 5.6.27
+PHP Version: 7.0.13
[2016-11-11 12:50 UTC] nguyenluan dot vnn at gmail dot com
[2016-11-11 12:51 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned
+Status: Open
[2016-11-11 12:51 UTC] nguyenluan dot vnn at gmail dot com
[2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open
+Status: Closed
[2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Nov 07 19:00:02 2025 UTC |
Description: ------------ In function locale_get_keywords: PHP_FUNCTION( locale_get_keywords ) { UEnumeration* e = NULL; UErrorCode status = U_ZERO_ERROR; ... ... /* Get the keywords */ e = uloc_openKeywords( loc_name, &status ); // crash here when loc_name larger than 2Gb if( e != NULL ) ... ... } If "loc_name" is larger than 2Gb PHP 7 will crash. Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('a', 0x8ff00000); locale_get_keywords($str); ?> Expected result: ---------------- No crash. Actual result: -------------- gdb-peda$ r ../test/string/test_collator_sort.php Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test_collator_sort.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x61 ('a') RBX: 0x0 RCX: 0x7fffffffa510 --> 0x7fff5b800018 ('a' <repeats 200 times>...) RDX: 0x20 (' ') RSI: 0x0 RDI: 0x61 ('a') RBP: 0x0 RSP: 0x7fffffffa4c0 --> 0x7fff00616161 RIP: 0x7ffff4351327 (<ulocimp_getLanguage_55+183>: mov BYTE PTR [r15],al) R8 : 0xffff R9 : 0x7fffffffa524 --> 0xf42ccd2800000000 R10: 0x672 R11: 0x7ffff4351860 (<uloc_openKeywords_55>: push r12) R12: 0x7fffffffa510 --> 0x7fff5b800018 ('a' <repeats 200 times>...) R13: 0x80000000 R14: 0x7fffdb800018 ('a' <repeats 200 times>...) R15: 0x80000000 EFLAGS: 0x10a12 (carry parity ADJUST zero sign trap INTERRUPT direction OVERFLOW) [-------------------------------------code-------------------------------------] 0x7ffff435131c <ulocimp_getLanguage_55+172>: jle 0x7ffff43512f0 <ulocimp_getLanguage_55+128> 0x7ffff435131e <ulocimp_getLanguage_55+174>: call 0x7ffff436b2d0 <uprv_asciitolower_55> 0x7ffff4351323 <ulocimp_getLanguage_55+179>: cmp r13d,0x2 => 0x7ffff4351327 <ulocimp_getLanguage_55+183>: mov BYTE PTR [r15],al 0x7ffff435132a <ulocimp_getLanguage_55+186>: jg 0x7ffff43512f6 <ulocimp_getLanguage_55+134> 0x7ffff435132c <ulocimp_getLanguage_55+188>: movsx edi,BYTE PTR [r14] 0x7ffff4351330 <ulocimp_getLanguage_55+192>: call 0x7ffff436b2d0 <uprv_asciitolower_55> 0x7ffff4351335 <ulocimp_getLanguage_55+197>: movsxd rdx,r13d [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa4c0 --> 0x7fff00616161 0008| 0x7fffffffa4c8 --> 0x53debe1001879100 0016| 0x7fffffffa4d0 --> 0x8b5b800000 0024| 0x7fffffffa4d8 --> 0x7fff5b800018 ('a' <repeats 200 times>...) 0032| 0x7fffffffa4e0 --> 0x7fffffffa704 --> 0x0 0040| 0x7fffffffa4e8 --> 0x447580 (<_start>: xor ebp,ebp) 0048| 0x7fffffffa4f0 --> 0x7fffffffe1a0 --> 0x2 0056| 0x7fffffffa4f8 --> 0x7fffebc14030 --> 0x7fffebc82160 --> 0xad8472 (<ZEND_DO_ICALL_SPEC_HANDLER>: push rbp) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff4351327 in ulocimp_getLanguage_55 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.55 gdb-peda$ bt #0 0x00007ffff4351327 in ulocimp_getLanguage_55 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.55 #1 0x00007ffff43518ed in uloc_openKeywords_55 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.55 #2 0x00000000006ee9e3 in zif_locale_get_keywords ( execute_data=0x7fffebc140e0, return_value=0x7fffebc140d0) at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:721 #3 0x0000000000ad8506 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586 #4 0x0000000000ad7f32 in execute_ex (ex=0x7fffebc14030) at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414 #5 0x0000000000ad8043 in zend_execute (op_array=0x7fffebc81000, return_value=0x0) at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458 #6 0x0000000000a78cfc in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427 #7 0x00000000009e11d5 in php_execute_script (primary_file=0x7fffffffce20) at /home/user/Desktop/php-7.0.12/main/main.c:2494 #8 0x0000000000b412f8 in do_cli (argc=0x2, argv=0x14a6630) at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974 #9 0x0000000000b424c6 in main (argc=0x2, argv=0x14a6630) at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344 #10 0x00007ffff38b3830 in __libc_start_main (main=0xb41cbb <main>, argc=0x2, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:291 #11 0x00000000004475a9 in _start ()