PHP :: Bug #67399 :: putenv with empty variable may lead to crash

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for

Bug #67399	putenv with empty variable may lead to crash
Submitted:	2014-06-09 05:53 UTC	Modified:	-
From:	stas@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.4.29	OS:	Unix
Private report:	No	CVE-ID:	None

View Developer Edit

[2014-06-09 05:53 UTC] stas@php.net

Description:
------------
Report from Google team:

putenv -> getenv SIGSEGV

<?php

// This script allocates some objects, making PHP reserve a memory region,
// then sets an environment variable without any name ("=1234").
//
// zif_putenv will add it to the environment, but when php_putenv_destructor is
// called, at the end of the script, __unsetenv(name="") is called, which has
// no effect and does *not* remove the pointer to the PHP-mapped memory region
// in the environment table.
// _efree and _zend_mm_free_int will free unmap the allocated PHP memory region
//
// zend_hash_apply_deleter -> module_destructor -> zm_shutdown_intl ->
// -> __GI_getenv(name="INTL_EXPLICIT_CLEANUP")
// will call C getenv() asking for a not-existing env variable to see if they
// have to call ucleanup(). C getenv() will scan the corrupted environ and in:
//
// for (ep = __environ; &ep != NULL; ++ep)
//
// will access a freed memory region, segfaulting.

error_reporting(E_ALL);
set_time_limit(10);
ini_set('memory_limit', '256M');

$x1 = "asdasdasfdsfdsf";
$x2 = "asdasdsadasdasdasd";
$x3 = array_fill(0, 553423, '*');
$x4 = array(-1 => -5, 100 => 17, 0 => 'a', 'a' => 0, 1 => 'b', 'b' => 1);

$f = fopen('php://temp', 'wr');

putenv("=1234");


Test script:
---------------
putenv("=1234");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-06-09 06:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-09 06:11 UTC] stas@php.net

-Status: Open +Status: Closed

[2014-06-09 06:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-09 06:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-09 06:11 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-12 01:08 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-12 01:08 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-12 01:08 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-12 01:08 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-19 00:53 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-19 00:53 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-06-19 00:53 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:26 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:26 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:26 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:34 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:34 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:34 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-02 08:34 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-07-29 21:56 UTC] johannes@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-08-14 15:34 UTC] johannes@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-08-14 19:32 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-10-07 23:13 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-10-07 23:14 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-10-07 23:25 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2014-10-07 23:26 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)

[2016-07-20 11:40 UTC] davey@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 13 08:00:02 2025 UTC