Based on the following upstream commits: https://github.com/php/php-src/commit/45a05f38410d4a67c8c83c09906e2cfb42fc6e4c https://github.com/php/php-src/commit/534684d1042978f3c21caf9b665a7aca27f3f325 --- a/ext/intl/msgformat/msgformat_helpers.cpp +++ b/ext/intl/msgformat/msgformat_helpers.cpp @@ -27,6 +27,7 @@ #include #include #include +#include #include @@ -45,6 +46,7 @@ extern "C" { #if U_ICU_VERSION_MAJOR_NUM * 10 + U_ICU_VERSION_MINOR_NUM >= 48 #define HAS_MESSAGE_PATTERN 1 +#define HAS_MISALLOCATE_MEMORY_BUG 1 #endif U_NAMESPACE_BEGIN @@ -345,6 +347,26 @@ static void umsg_set_timezone(MessageFormatter_object *mfo, return; /* already done */ } +#ifdef HAS_MISALLOCATE_MEMORY_BUG + /* There is a bug in ICU which prevents MessageFormatter::getFormats() + to handle more than 10 formats correctly. The enumerator could be + used to walk through the present formatters using getFormat(), which + however seems to provide just a readonly access. This workaround + prevents crash when there are > 10 formats but doesn't set any error. + As a result, only DateFormatters with > 10 subformats are affected. + This workaround should be ifdef'd out, when the bug has been fixed + in ICU. */ + icu::StringEnumeration* fnames = mf->getFormatNames(err.code); + if (!fnames || U_FAILURE(err.code)) { + return; + } + count = fnames->count(err.code); + delete fnames; + if (count > 10) { + return; + } +#endif + formats = mf->getFormats(count); if (formats == NULL) { --- /dev/null +++ b/ext/intl/tests/bug74484_MessageFormatter.phpt @@ -0,0 +1,35 @@ +--TEST-- +Bug #74484 MessageFormatter::formatMessage memory corruption with 11+ named placeholder +--SKIPIF-- + +--FILE-- + 1, + 'b' => 2, + 'c' => 3, + 'd' => 4, + 'e' => 5, + 'f' => 6, + 'g' => 7, + 'h' => 8, + 'i' => 9, + 'j' => 10, + 'k' => 11, + 'l' => 12 +); + +var_dump(MessageFormatter::formatMessage('en_US', $text, $vars)); + +?> +==DONE== +--EXPECT-- +string(26) "1 2 3 4 5 6 7 8 9 10 11 12" +==DONE==