PHP :: Bug #72406 :: msgfmt_format fails to evaluate a long string.

Bug #72406

msgfmt_format fails to evaluate a long string.

Submitted:

2016-06-14 15:23 UTC

Modified:

2021-06-18 09:27 UTC

Votes:	3
Avg. Score:	3.7 ± 0.9
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mythu at achievers dot com

Assigned:

stas (profile)

Status:

Closed

Package:

intl (PECL)

PHP Version:

5.6.22

OS:

linux

Private report:

CVE-ID:

None

View Developer Edit

[2016-06-14 15:23 UTC] mythu at achievers dot com

Description:
------------
---
From manual page: http://www.php.net/class.messageformatter
---


Test script:
---------------
In our application, we eventually pass a large string like: 
$str = "crwdns213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdne213084:0";
$locale = "ar-SA";
$args = [0,1,2,3];

Into: 
        $msg = msgfmt_create($locale, $str);
        $output = msgfmt_format($msg, $args);

And after it executes msgfmt_format() it dies.


Expected result:
----------------
Be able to handle a large string as shown.

Actual result:
--------------
[Tue Jun 14 10:23:32.347583 2016] [core:notice] [pid 2478] AH00052: child pid 11871 exit signal Aborted (6)
*** Error in `/usr/sbin/httpd': corrupted double-linked list: 0x00007f51492e52e0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7bd95)[0x7f5144df8d95]
/lib64/libc.so.6(+0x7cf06)[0x7f5144df9f06]
/lib64/libicuuc.so.50(_ZN6icu_507UMemorydlEPv+0xe)[0x7f5132e9682e]
/lib64/libicuuc.so.50(uhash_close_50+0x7b)[0x7f5132e9c37b]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD1Ev+0x1e)[0x7f51332572ee]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD0Ev+0x9)[0x7f5133257379]
/usr/lib64/php/modules/intl.so(+0x2d2a7)[0x7f51335e62a7]
/usr/lib64/php/modules/intl.so(+0x2ce82)[0x7f51335e5e82]
/etc/httpd/modules/libphp5.so(zend_objects_store_del_ref_by_handle_ex+0x29c)[0x7f513b08880c]
/etc/httpd/modules/libphp5.so(zend_objects_store_del_ref+0x13)[0x7f513b088833]
/etc/httpd/modules/libphp5.so(+0x319315)[0x7f513b0ff315]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31ba6b)[0x7f513b101a6b]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31ba6b)[0x7f513b101a6b]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31b420)[0x7f513b101420]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]

Patches

dhhqbmad (last revision 2016-07-07 07:33 UTC by sample at email dot tst)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-14 18:49 UTC] stas@php.net

This looks like a bug in ICU4C :( Looking at the code here:
http://source.icu-project.org/repos/icu/icu/tags/release-57-1/source/i18n/msgfmt.cpp

in method getFormats the array is allocated to match argTypesCount, or 10, whichever is larger, but the number of actual fields is defined not by count of types but by count of actual arguments. So, if you have more than 10 arguments but less than 10 different types it would write to unallocated memory.

[2016-06-14 19:24 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-06-14 19:24 UTC] stas@php.net

Filed an issue with ICU: http://bugs.icu-project.org/trac/ticket/12584

For now, the best mitigation would be to split the format string into pieces that have less up to 10 pattern instances. I'll think how we can mitigate this in PHP.... seems to be hard as it's a pretty basic ICU function.

[2016-09-18 20:47 UTC] stas@php.net

Related To: Bug #73107

[2016-09-19 00:35 UTC] stas@php.net

Related To: Bug #73106

[2021-06-18 09:27 UTC] cmb@php.net

-Status: Assigned +Status: Closed

[2021-06-18 09:27 UTC] cmb@php.net

The upstream bug is fixed[1] as of ICU 64.1, so this ticket can be
closed.

[1] <https://github.com/unicode-org/icu/commit/a9d219691398f0168150ad5a3e5f381f84ca95df>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 05:01:27 2025 UTC