PHP :: Bug #74484 :: MessageFormatter::formatMessage memory corruption with 11+ named placeholders

Bug #74484

MessageFormatter::formatMessage memory corruption with 11+ named placeholders

Submitted:

2017-04-21 04:50 UTC

Modified:

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

geoffreyj dot lee at gmail dot com

Assigned:

Status:

Closed

Package:

intl (PECL)

PHP Version:

7.0.18

OS:

CentOS 7

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	geoffreyj dot lee at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-04-21 04:50 UTC] geoffreyj dot lee at gmail dot com

Description:
------------
I am using:
- PHP 7.0.18 (installed from yum http://rpms.remirepo.net/enterprise/7/php70/mirror)
- ICU 50.1.2
- libc 2.17

Running the below test script in PHP cli produces the following error:

*** Error in `php': free(): invalid next size (fast): 0x00007f40b0c6dd50 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7c503)[0x7f40abff8503]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD1Ev+0x42)[0x7f409e029312]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD0Ev+0x9)[0x7f409e029379]
/usr/lib64/php/modules/intl.so(+0x2fcb7)[0x7f409e3bacb7]
/usr/lib64/php/modules/intl.so(+0x301e8)[0x7f409e3bb1e8]
php(+0x2cc29b)[0x7f40af8f429b]
php(execute_ex+0x1b)[0x7f40af8b56db]
php(zend_execute+0x1af)[0x7f40af8fffaf]
php(zend_execute_scripts+0xc3)[0x7f40af8765e3]
php(php_execute_script+0x2d8)[0x7f40af816658]
php(+0x2d9c18)[0x7f40af901c18]
php(+0xd092a)[0x7f40af6f892a]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f40abf9db35]
php(+0xd09c5)[0x7f40af6f89c5]
======= Memory map: ========
7f4078000000-7f4078021000 rw-p 00000000 00:00 0
7f4078021000-7f407c000000 ---p 00000000 00:00 0
7f407eb95000-7f4086b95000 rw-s 00000000 00:04 47900                      /dev/zero (deleted)
7f4086b95000-7f4086ba1000 r-xp 00000000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086ba1000-7f4086da0000 ---p 0000c000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086da0000-7f4086da1000 r--p 0000b000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086da1000-7f4086da2000 rw-p 0000c000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086da2000-7f4086da8000 rw-p 00000000 00:00 0
7f4086da8000-7f4086daa000 r-xp 00000000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086daa000-7f4086fa9000 ---p 00002000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086fa9000-7f4086faa000 r--p 00001000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086faa000-7f4086fab000 rw-p 00002000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086fab000-7f4086faf000 r-xp 00000000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f4086faf000-7f40871ae000 ---p 00004000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f40871ae000-7f40871af000 r--p 00003000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f40871af000-7f40871b0000 rw-p 00004000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f40871b0000-7f40871e0000 r-xp 00000000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40871e0000-7f40873e0000 ---p 00030000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40873e0000-7f40873e1000 r--p 00030000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40873e1000-7f40873e2000 rw-p 00031000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40873e2000-7f40873ea000 r-xp 00000000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40873ea000-7f40875e9000 ---p 00008000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40875e9000-7f40875ea000 r--p 00007000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40875ea000-7f40875eb000 rw-p 00008000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40875eb000-7f4087605000 r-xp 00000000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087605000-7f4087804000 ---p 0001a000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087804000-7f4087806000 r--p 00019000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087806000-7f4087807000 rw-p 0001b000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087807000-7f4087808000 rw-p 00000000 00:00 0
7f4087808000-7f408780a000 r-xp 00000000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f408780a000-7f4087a09000 ---p 00002000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f4087a09000-7f4087a0a000 r--p 00001000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f4087a0a000-7f4087a0b000 rw-p 00002000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f4087a0b000-7f4087a51000 r-xp 00000000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087a51000-7f4087c50000 ---p 00046000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087c50000-7f4087c51000 r--p 00045000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087c51000-7f4087c52000 rw-p 00046000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087c52000-7f4087c53000 rw-p 00000000 00:00 0
7f4087c53000-7f4087cbd000 r-xp 00000000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087cbd000-7f4087ebd000 ---p 0006a000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087ebd000-7f4087ec0000 r--p 0006a000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087ec0000-7f4087ec4000 rw-p 0006d000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087ec4000-7f4087ec5000 rw-p 00000000 00:00 0
7f4087ec5000-7f4087ec8000 r-xp 00000000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f4087ec8000-7f40880c7000 ---p 00003000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f40880c7000-7f40880c8000 r--p 00002000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f40880c8000-7f40880c9000 rw-p 00003000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f40880c9000-7f40880e3000 r-xp 00000000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40880e3000-7f40882e2000 ---p 0001a000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40882e2000-7f40882e3000 r--p 00019000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40882e3000-7f40882e4000 rw-p 0001a000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40882e4000-7f40882f1000 r-xp 00000000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40882f1000-7f40884f0000 ---p 0000d000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40884f0000-7f40884f2000 r--p 0000c000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40884f2000-7f40884f3000 rw-p 0000e000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40884f3000-7f40884f6000 r-xp 00000000 fd:00 73344870                   /usr/lib64/php/modules/uuid.so
7f40884f6000-7f40886f5000 ---p 00003000 fd:00 73344870                   /usr/lib64/php/modules/uuid.so
7f40886f5000-7f40886f6000 r--p 00002000 fd:00 73344870                   /usr/lib64/php/modules/uuid.so
7f40886f6000-7f40886f7000 rw-p 00003000 fd:00 73344870                   /usr/lib64/php/modules/uuid.soAborted (core dumped)


Test script:
---------------
<?php
$text = "{a}{b}{c}{d}{e}{f}{g}{h}{i}{j}{k}{l}";

$vars = array(
  'a' => 1,
  'b' => 2,
  'c' => 3,
  'd' => 4,
  'e' => 5,
  'f' => 6,
  'g' => 7,
  'h' => 8,
  'i' => 9,
  'j' => 10,
  'k' => 11,
  'l' => 12
);

echo MessageFormatter::formatMessage('en_US', $text, $vars);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-08-09 20:10 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=45a05f38410d4a67c8c83c09906e2cfb42fc6e4c
Log: Fixed bug #74484 MessageFormatter::formatMessage memory corruption

[2018-08-09 20:10 UTC] ab@php.net

-Status: Open +Status: Closed

[2018-10-01 12:58 UTC] anthrax at unixuser dot org

Related To: Bug #76942

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 09:01:28 2024 UTC