php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72406 msgfmt_format fails to evaluate a long string.
Submitted: 2016-06-14 15:23 UTC Modified: 2021-06-18 09:27 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mythu at achievers dot com Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 5.6.22 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mythu at achievers dot com
New email:
PHP Version: OS:

 

 [2016-06-14 15:23 UTC] mythu at achievers dot com
Description:
------------
---
From manual page: http://www.php.net/class.messageformatter
---


Test script:
---------------
In our application, we eventually pass a large string like: 
$str = "crwdns213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdnd213084:0{1}crwdnd213084:0{2}crwdnd213084:0{3}crwdne213084:0";
$locale = "ar-SA";
$args = [0,1,2,3];

Into: 
        $msg = msgfmt_create($locale, $str);
        $output = msgfmt_format($msg, $args);

And after it executes msgfmt_format() it dies.


Expected result:
----------------
Be able to handle a large string as shown.

Actual result:
--------------
[Tue Jun 14 10:23:32.347583 2016] [core:notice] [pid 2478] AH00052: child pid 11871 exit signal Aborted (6)
*** Error in `/usr/sbin/httpd': corrupted double-linked list: 0x00007f51492e52e0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7bd95)[0x7f5144df8d95]
/lib64/libc.so.6(+0x7cf06)[0x7f5144df9f06]
/lib64/libicuuc.so.50(_ZN6icu_507UMemorydlEPv+0xe)[0x7f5132e9682e]
/lib64/libicuuc.so.50(uhash_close_50+0x7b)[0x7f5132e9c37b]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD1Ev+0x1e)[0x7f51332572ee]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD0Ev+0x9)[0x7f5133257379]
/usr/lib64/php/modules/intl.so(+0x2d2a7)[0x7f51335e62a7]
/usr/lib64/php/modules/intl.so(+0x2ce82)[0x7f51335e5e82]
/etc/httpd/modules/libphp5.so(zend_objects_store_del_ref_by_handle_ex+0x29c)[0x7f513b08880c]
/etc/httpd/modules/libphp5.so(zend_objects_store_del_ref+0x13)[0x7f513b088833]
/etc/httpd/modules/libphp5.so(+0x319315)[0x7f513b0ff315]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31d219)[0x7f513b103219]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31ba6b)[0x7f513b101a6b]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31ba6b)[0x7f513b101a6b]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]
/etc/httpd/modules/libphp5.so(+0x31b420)[0x7f513b101420]
/etc/httpd/modules/libphp5.so(execute_ex+0x38)[0x7f513b097668]
/usr/lib64/php/modules/xdebug.so(xdebug_execute_ex+0x532)[0x7f5137063f02]

Patches

dhhqbmad (last revision 2016-07-07 07:33 UTC by sample at email dot tst)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-14 18:49 UTC] stas@php.net
This looks like a bug in ICU4C :( Looking at the code here:
http://source.icu-project.org/repos/icu/icu/tags/release-57-1/source/i18n/msgfmt.cpp

in method getFormats the array is allocated to match argTypesCount, or 10, whichever is larger, but the number of actual fields is defined not by count of types but by count of actual arguments. So, if you have more than 10 arguments but less than 10 different types it would write to unallocated memory.
 [2016-06-14 19:24 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-06-14 19:24 UTC] stas@php.net
Filed an issue with ICU: http://bugs.icu-project.org/trac/ticket/12584

For now, the best mitigation would be to split the format string into pieces that have less up to 10 pattern instances. I'll think how we can mitigate this in PHP.... seems to be hard as it's a pretty basic ICU function.
 [2021-06-18 09:27 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2021-06-18 09:27 UTC] cmb@php.net
The upstream bug is fixed[1] as of ICU 64.1, so this ticket can be
closed.

[1] <https://github.com/unicode-org/icu/commit/a9d219691398f0168150ad5a3e5f381f84ca95df>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 12:01:27 2024 UTC