|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-06-09 06:11 UTC] stas@php.net
[2014-06-09 06:11 UTC] stas@php.net
-Status: Open
+Status: Closed
[2014-06-09 06:11 UTC] stas@php.net
[2014-06-09 06:11 UTC] stas@php.net
[2014-06-09 06:11 UTC] stas@php.net
[2014-06-12 01:08 UTC] dmitry@php.net
[2014-06-12 01:08 UTC] dmitry@php.net
[2014-06-12 01:08 UTC] dmitry@php.net
[2014-06-12 01:08 UTC] dmitry@php.net
[2014-06-19 00:53 UTC] tyrael@php.net
[2014-06-19 00:53 UTC] tyrael@php.net
[2014-06-19 00:53 UTC] tyrael@php.net
[2014-07-02 08:26 UTC] ab@php.net
[2014-07-02 08:26 UTC] ab@php.net
[2014-07-02 08:26 UTC] ab@php.net
[2014-07-02 08:34 UTC] ab@php.net
[2014-07-02 08:34 UTC] ab@php.net
[2014-07-02 08:34 UTC] ab@php.net
[2014-07-02 08:34 UTC] ab@php.net
[2014-07-29 21:56 UTC] johannes@php.net
[2014-08-14 15:34 UTC] johannes@php.net
[2014-08-14 19:32 UTC] dmitry@php.net
[2014-10-07 23:13 UTC] stas@php.net
[2014-10-07 23:14 UTC] stas@php.net
[2014-10-07 23:25 UTC] stas@php.net
[2014-10-07 23:26 UTC] stas@php.net
[2016-07-20 11:40 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 09:01:32 2024 UTC |
Description: ------------ Report from Google team: putenv -> getenv SIGSEGV <?php // This script allocates some objects, making PHP reserve a memory region, // then sets an environment variable without any name ("=1234"). // // zif_putenv will add it to the environment, but when php_putenv_destructor is // called, at the end of the script, __unsetenv(name="") is called, which has // no effect and does *not* remove the pointer to the PHP-mapped memory region // in the environment table. // _efree and _zend_mm_free_int will free unmap the allocated PHP memory region // // zend_hash_apply_deleter -> module_destructor -> zm_shutdown_intl -> // -> __GI_getenv(name="INTL_EXPLICIT_CLEANUP") // will call C getenv() asking for a not-existing env variable to see if they // have to call ucleanup(). C getenv() will scan the corrupted environ and in: // // for (ep = __environ; &ep != NULL; ++ep) // // will access a freed memory region, segfaulting. error_reporting(E_ALL); set_time_limit(10); ini_set('memory_limit', '256M'); $x1 = "asdasdasfdsfdsf"; $x2 = "asdasdsadasdasdasd"; $x3 = array_fill(0, 553423, '*'); $x4 = array(-1 => -5, 100 => 17, 0 => 'a', 'a' => 0, 1 => 'b', 'b' => 1); $f = fopen('php://temp', 'wr'); putenv("=1234"); Test script: --------------- putenv("=1234");