From 45a05f38410d4a67c8c83c09906e2cfb42fc6e4c Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Thu, 9 Aug 2018 22:07:24 +0200
Subject: Fixed bug #74484 MessageFormatter::formatMessage memory corruption

with 11+ named placeholder
---
 ext/intl/msgformat/msgformat_helpers.cpp | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'ext/intl/msgformat/msgformat_helpers.cpp')

diff --git a/ext/intl/msgformat/msgformat_helpers.cpp b/ext/intl/msgformat/msgformat_helpers.cpp
index ce7899edd9..29956c7ee0 100644
--- a/ext/intl/msgformat/msgformat_helpers.cpp
+++ b/ext/intl/msgformat/msgformat_helpers.cpp
@@ -27,6 +27,7 @@
 #include <unicode/timezone.h>
 #include <unicode/datefmt.h>
 #include <unicode/calendar.h>
+#include <unicode/strenum.h>
 
 #include <vector>
 
@@ -333,6 +334,24 @@ static void umsg_set_timezone(MessageFormatter_object *mfo,
 		return; /* already done */
 	}
 
+	/* There is a bug in ICU which prevents MessageFormatter::getFormats()
+	   to handle more than 10 formats correctly. The enumerator could be
+	   used to walk through the present formatters using getFormat(), which
+	   however seems to provide just a readonly access. This workaround
+	   prevents crash when there are > 10 formats but doesn't set any error.
+	   As a result, only DateFormatters with > 10 subformats are affected.
+	   This workaround should be ifdef'd out, when the bug has been fixed
+	   in ICU. */
+	icu::StringEnumeration* fnames = mf->getFormatNames(err.code);
+	if (!fnames || U_FAILURE(err.code)) {
+		return;
+	}
+	count = fnames->count(err.code);
+	delete fnames;
+	if (count > 10) {
+		return;
+	}
+
 	formats = mf->getFormats(count);
 
 	if (formats == NULL) {
-- 
cgit v1.2.1