php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67399 putenv with empty variable may lead to crash
Submitted: 2014-06-09 05:53 UTC Modified: -
From: stas@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.4.29 OS: Unix
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stas@php.net
New email:
PHP Version: OS:

 

 [2014-06-09 05:53 UTC] stas@php.net 
Description:
------------
Report from Google team:

putenv -> getenv SIGSEGV

<?php

// This script allocates some objects, making PHP reserve a memory region,
// then sets an environment variable without any name ("=1234").
//
// zif_putenv will add it to the environment, but when php_putenv_destructor is
// called, at the end of the script, __unsetenv(name="") is called, which has
// no effect and does *not* remove the pointer to the PHP-mapped memory region
// in the environment table.
// _efree and _zend_mm_free_int will free unmap the allocated PHP memory region
//
// zend_hash_apply_deleter -> module_destructor -> zm_shutdown_intl ->
// -> __GI_getenv(name="INTL_EXPLICIT_CLEANUP")
// will call C getenv() asking for a not-existing env variable to see if they
// have to call ucleanup(). C getenv() will scan the corrupted environ and in:
//
// for (ep = __environ; &ep != NULL; ++ep)
//
// will access a freed memory region, segfaulting.

error_reporting(E_ALL);
set_time_limit(10);
ini_set('memory_limit', '256M');

$x1 = "asdasdasfdsfdsf";
$x2 = "asdasdsadasdasdasd";
$x3 = array_fill(0, 553423, '*');
$x4 = array(-1 => -5, 100 => 17, 0 => 'a', 'a' => 0, 1 => 'b', 'b' => 1);

$f = fopen('php://temp', 'wr');

putenv("=1234");


Test script:
---------------
putenv("=1234");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-09 06:11 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-09 06:11 UTC] stas@php.net
-Status: Open +Status: Closed
 [2014-06-09 06:11 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-09 06:11 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-09 06:11 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-19 00:53 UTC] tyrael@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-19 00:53 UTC] tyrael@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-19 00:53 UTC] tyrael@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-29 21:56 UTC] johannes@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-08-14 15:34 UTC] johannes@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-08-14 19:32 UTC] dmitry@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:14 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:25 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:26 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2016-07-20 11:40 UTC] davey@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Feb 02 05:01:30 2025 UTC