php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44836 [PATCH] putenv() crashes, avoid direct reference of environ in POSIX systems
Submitted: 2008-04-25 23:50 UTC Modified: 2008-06-19 01:00 UTC
Votes:7
Avg. Score:4.1 ± 0.8
Reproduced:7 of 7 (100.0%)
Same Version:6 (85.7%)
Same OS:5 (71.4%)
From: delphij at FreeBSD dot org Assigned: iliaa (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.5 OS: FreeBSD 7.0
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: delphij at FreeBSD dot org
New email:
PHP Version: OS:

 

 [2008-04-25 23:50 UTC] delphij at FreeBSD dot org
Description:
------------
PHP would crash in certain cases where putenv() is being called, in POSIX systems which calls free() in putenv().

The following patch always duplicate the environment from the environment instead of relying on that they are invariant.

--- ext/standard/basic_functions.c.orig	2008-04-25 16:26:14.885468614 -0700
+++ ext/standard/basic_functions.c	2008-04-25 16:32:46.215744075 -0700
@@ -3861,9 +3862,7 @@
 		SetEnvironmentVariable(pe->key, "bugbug");
 #endif
 		putenv(pe->previous_value);
-# if defined(PHP_WIN32)
 		efree(pe->previous_value);
-# endif
 	} else {
 # if HAVE_UNSETENV
 		unsetenv(pe->key);
@@ -4463,12 +4462,8 @@
 		pe.previous_value = NULL;
 		for (env = environ; env != NULL && *env != NULL; env++) {
 			if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') {	/* found it */
-#if defined(PHP_WIN32)
 				/* must copy previous value because MSVCRT's putenv can free the string without notice */
 				pe.previous_value = estrdup(*env);
-#else
-				pe.previous_value = *env;
-#endif
 				break;
 			}
 		}



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-05-06 18:04 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2008-05-07 08:42 UTC] tony2001@php.net
Your patch causes crashes on Linux, please revert.
 [2008-05-07 21:54 UTC] rachid at dnsregistraties dot nl
The patch on 5.2.6 for posix is causing crash on the linux versions. Is it possible to fix this soon?
 [2008-05-08 07:48 UTC] tony2001@php.net
>Which glibc version are you using?
Reproducible with both glibc 2.5 (openSuSE 10.2 64bit) and 2.6.1 (openSuSE 10.3 64bit).

In order to reproduce it you need to run this:
TEST_VAR1=test TEST_VAR2=test valgrind --tool=memcheck ./sapi/cli/php -r 'putenv("TEST_VAR1"); putenv("TEST_VAR2");'

>Do you have backtraces?

Valgrind log is here: http://news.php.net/php.cvs/49863
 [2008-05-12 08:48 UTC] tony2001@php.net
I reverted the patch.
Please provide a reproduce case for the original problem and then we'll see what the correct patch should be.
 [2008-05-23 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-05-31 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-06-11 21:54 UTC] tony2001@php.net
I suppose the bug didn't really exist, did it?
I won't reopen the report anymore.
 [2008-06-19 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 24 01:01:29 2024 UTC