php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74484 MessageFormatter::formatMessage memory corruption with 11+ named placeholders
Submitted: 2017-04-21 04:50 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: geoffreyj dot lee at gmail dot com Assigned:
Status: Closed Package: intl (PECL)
PHP Version: 7.0.18 OS: CentOS 7
Private report: No CVE-ID: None
 [2017-04-21 04:50 UTC] geoffreyj dot lee at gmail dot com
Description:
------------
I am using:
- PHP 7.0.18 (installed from yum http://rpms.remirepo.net/enterprise/7/php70/mirror)
- ICU 50.1.2
- libc 2.17

Running the below test script in PHP cli produces the following error:

*** Error in `php': free(): invalid next size (fast): 0x00007f40b0c6dd50 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7c503)[0x7f40abff8503]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD1Ev+0x42)[0x7f409e029312]
/lib64/libicui18n.so.50(_ZN6icu_5013MessageFormatD0Ev+0x9)[0x7f409e029379]
/usr/lib64/php/modules/intl.so(+0x2fcb7)[0x7f409e3bacb7]
/usr/lib64/php/modules/intl.so(+0x301e8)[0x7f409e3bb1e8]
php(+0x2cc29b)[0x7f40af8f429b]
php(execute_ex+0x1b)[0x7f40af8b56db]
php(zend_execute+0x1af)[0x7f40af8fffaf]
php(zend_execute_scripts+0xc3)[0x7f40af8765e3]
php(php_execute_script+0x2d8)[0x7f40af816658]
php(+0x2d9c18)[0x7f40af901c18]
php(+0xd092a)[0x7f40af6f892a]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f40abf9db35]
php(+0xd09c5)[0x7f40af6f89c5]
======= Memory map: ========
7f4078000000-7f4078021000 rw-p 00000000 00:00 0
7f4078021000-7f407c000000 ---p 00000000 00:00 0
7f407eb95000-7f4086b95000 rw-s 00000000 00:04 47900                      /dev/zero (deleted)
7f4086b95000-7f4086ba1000 r-xp 00000000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086ba1000-7f4086da0000 ---p 0000c000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086da0000-7f4086da1000 r--p 0000b000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086da1000-7f4086da2000 rw-p 0000c000 fd:00 201327948                  /usr/lib64/libnss_files-2.17.so
7f4086da2000-7f4086da8000 rw-p 00000000 00:00 0
7f4086da8000-7f4086daa000 r-xp 00000000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086daa000-7f4086fa9000 ---p 00002000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086fa9000-7f4086faa000 r--p 00001000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086faa000-7f4086fab000 rw-p 00002000 fd:00 210953031                  /usr/lib64/libfastlz.so.0
7f4086fab000-7f4086faf000 r-xp 00000000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f4086faf000-7f40871ae000 ---p 00004000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f40871ae000-7f40871af000 r--p 00003000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f40871af000-7f40871b0000 rw-p 00004000 fd:00 210953043                  /usr/lib64/libmemcachedutil.so.2.0.0
7f40871b0000-7f40871e0000 r-xp 00000000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40871e0000-7f40873e0000 ---p 00030000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40873e0000-7f40873e1000 r--p 00030000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40873e1000-7f40873e2000 rw-p 00031000 fd:00 210953039                  /usr/lib64/libmemcached.so.11.0.0
7f40873e2000-7f40873ea000 r-xp 00000000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40873ea000-7f40875e9000 ---p 00008000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40875e9000-7f40875ea000 r--p 00007000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40875ea000-7f40875eb000 rw-p 00008000 fd:00 210953041                  /usr/lib64/libmemcachedprotocol.so.0.0.0
7f40875eb000-7f4087605000 r-xp 00000000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087605000-7f4087804000 ---p 0001a000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087804000-7f4087806000 r--p 00019000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087806000-7f4087807000 rw-p 0001b000 fd:00 67620498                   /usr/lib64/php/modules/memcached.so
7f4087807000-7f4087808000 rw-p 00000000 00:00 0
7f4087808000-7f408780a000 r-xp 00000000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f408780a000-7f4087a09000 ---p 00002000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f4087a09000-7f4087a0a000 r--p 00001000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f4087a0a000-7f4087a0b000 rw-p 00002000 fd:00 73330357                   /usr/lib64/php/modules/json_post.so
7f4087a0b000-7f4087a51000 r-xp 00000000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087a51000-7f4087c50000 ---p 00046000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087c50000-7f4087c51000 r--p 00045000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087c51000-7f4087c52000 rw-p 00046000 fd:00 201503854                  /usr/lib64/libevent-2.0.so.5.1.9
7f4087c52000-7f4087c53000 rw-p 00000000 00:00 0
7f4087c53000-7f4087cbd000 r-xp 00000000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087cbd000-7f4087ebd000 ---p 0006a000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087ebd000-7f4087ec0000 r--p 0006a000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087ec0000-7f4087ec4000 rw-p 0006d000 fd:00 72983962                   /usr/lib64/php/modules/http.so
7f4087ec4000-7f4087ec5000 rw-p 00000000 00:00 0
7f4087ec5000-7f4087ec8000 r-xp 00000000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f4087ec8000-7f40880c7000 ---p 00003000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f40880c7000-7f40880c8000 r--p 00002000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f40880c8000-7f40880c9000 rw-p 00003000 fd:00 72984808                   /usr/lib64/php/modules/apc.so
7f40880c9000-7f40880e3000 r-xp 00000000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40880e3000-7f40882e2000 ---p 0001a000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40882e2000-7f40882e3000 r--p 00019000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40882e3000-7f40882e4000 rw-p 0001a000 fd:00 203487338                  /usr/lib64/libzip.so.5.0.0
7f40882e4000-7f40882f1000 r-xp 00000000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40882f1000-7f40884f0000 ---p 0000d000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40884f0000-7f40884f2000 r--p 0000c000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40884f2000-7f40884f3000 rw-p 0000e000 fd:00 68339416                   /usr/lib64/php/modules/zip.so
7f40884f3000-7f40884f6000 r-xp 00000000 fd:00 73344870                   /usr/lib64/php/modules/uuid.so
7f40884f6000-7f40886f5000 ---p 00003000 fd:00 73344870                   /usr/lib64/php/modules/uuid.so
7f40886f5000-7f40886f6000 r--p 00002000 fd:00 73344870                   /usr/lib64/php/modules/uuid.so
7f40886f6000-7f40886f7000 rw-p 00003000 fd:00 73344870                   /usr/lib64/php/modules/uuid.soAborted (core dumped)


Test script:
---------------
<?php
$text = "{a}{b}{c}{d}{e}{f}{g}{h}{i}{j}{k}{l}";

$vars = array(
  'a' => 1,
  'b' => 2,
  'c' => 3,
  'd' => 4,
  'e' => 5,
  'f' => 6,
  'g' => 7,
  'h' => 8,
  'i' => 9,
  'j' => 10,
  'k' => 11,
  'l' => 12
);

echo MessageFormatter::formatMessage('en_US', $text, $vars);
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-09 20:10 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=45a05f38410d4a67c8c83c09906e2cfb42fc6e4c
Log: Fixed bug #74484 MessageFormatter::formatMessage memory corruption
 [2018-08-09 20:10 UTC] ab@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Dec 17 15:01:27 2018 UTC