php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72406 msgfmt_format fails to evaluate a long string.
Submitted: 2016-06-14 15:23 UTC Modified: 2016-06-14 19:24 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mythu at achievers dot com Assigned: stas
Status: Assigned Package: intl (PECL)
PHP Version: 5.6.22 OS: linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-06-14 15:23 UTC] mythu at achievers dot com
Description:
------------
---
From manual page: http://www.php.net/class.messageformatter
---


Test script:
---------------
In our application, we eventually pass a large string like: 
$str = "crwdns213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdne213084:0";
$locale = "ar-SA";
$args = [0,1,2,3];

Into: 
        $msg = msgfmt_create($locale, $str);
        $output = msgfmt_format($msg, $args);

And after it executes msgfmt_format() it dies.


Expected result:
----------------
Be able to handle a large string as shown.

Actual result:
--------------
[Tue Jun 14 10:23:32.347583 2016] [core:notice] [pid 2478] AH00052: child pid 11871 exit signal Aborted (6)
*** Error in `/usr/sbin/httpd': corrupted double-linked list: 0x00007f51492e52e0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7bd95)[0x7f5144df8d95]
/lib64/libc.so.6(+0x7cf06)[0x7f5144df9f06]
/lib64/libicuuc.so.50(_ZN6icu_507UMemorydlEPv+0xe)[0x7f5132e9682e]
/lib64/libicuuc.so.50(uhash_close_50+0x7b)[0x7f5132e9c37b]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD1Ev+0x1e)[0x7f51332572ee]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD0Ev+0x9)[0x7f5133257379]
/usr/lib64/php/modules/intl.so(+0x2d2a7)[0x7f51335e62a7]
/usr/lib64/php/modules/intl.so(+0x2ce82)[0x7f51335e5e82]
/etc/httpd/modules/libphp5.so(zend_objects_store_del_ref_by_handle_ex+0x29c)[0x7f513b08880c]
/etc/httpd/modules/libphp5.so(zend_objects_store_del_ref+0x13)[0x7f513b088833]
/etc/httpd/modules/libphp5.so(+0x319315)[0x7f513b0ff315]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31ba6b)[0x7f513b101a6b]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31ba6b)[0x7f513b101a6b]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31b420)[0x7f513b101420]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]

Patches

dhhqbmad (last revision 2016-07-07 07:33 UTC) by sample at email dot tst)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-14 18:49 UTC] stas@php.net
This looks like a bug in ICU4C :( Looking at the code here:
http://source.icu-project.org/repos/icu/icu/tags/release-57-1/source/i18n/msgfmt.cpp

in method getFormats the array is allocated to match argTypesCount, or 10, whichever is larger, but the number of actual fields is defined not by count of types but by count of actual arguments. So, if you have more than 10 arguments but less than 10 different types it would write to unallocated memory.
 [2016-06-14 19:24 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-06-14 19:24 UTC] stas@php.net
Filed an issue with ICU: http://bugs.icu-project.org/trac/ticket/12584

For now, the best mitigation would be to split the format string into pieces that have less up to 10 pattern instances. I'll think how we can mitigate this in PHP.... seems to be hard as it's a pretty basic ICU function.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 28 08:01:47 2017 UTC