php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67399 putenv with empty variable may lead to crash
Submitted: 2014-06-09 05:53 UTC Modified: -
From: stas@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.4.29 OS: Unix
Private report: No CVE-ID:
 [2014-06-09 05:53 UTC] stas@php.net
Description:
------------
Report from Google team:

putenv -> getenv SIGSEGV

<?php

// This script allocates some objects, making PHP reserve a memory region,
// then sets an environment variable without any name ("=1234").
//
// zif_putenv will add it to the environment, but when php_putenv_destructor is
// called, at the end of the script, __unsetenv(name="") is called, which has
// no effect and does *not* remove the pointer to the PHP-mapped memory region
// in the environment table.
// _efree and _zend_mm_free_int will free unmap the allocated PHP memory region
//
// zend_hash_apply_deleter -> module_destructor -> zm_shutdown_intl ->
// -> __GI_getenv(name="INTL_EXPLICIT_CLEANUP")
// will call C getenv() asking for a not-existing env variable to see if they
// have to call ucleanup(). C getenv() will scan the corrupted environ and in:
//
// for (ep = __environ; &ep != NULL; ++ep)
//
// will access a freed memory region, segfaulting.

error_reporting(E_ALL);
set_time_limit(10);
ini_set('memory_limit', '256M');

$x1 = "asdasdasfdsfdsf";
$x2 = "asdasdsadasdasdasd";
$x3 = array_fill(0, 553423, '*');
$x4 = array(-1 => -5, 100 => 17, 0 => 'a', 'a' => 0, 1 => 'b', 'b' => 1);

$f = fopen('php://temp', 'wr');

putenv("=1234");


Test script:
---------------
putenv("=1234");



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-09 06:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-09 06:11 UTC] stas@php.net
-Status: Open +Status: Closed
 [2014-06-09 06:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-09 06:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-09 06:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-12 01:08 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-19 00:53 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-19 00:53 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-06-19 00:53 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=336b5f59b6c4ff023f5e79a39eabd284ac7f1e66
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4b0b03267636fb86ac19f4f0a48c55d08eb1be94
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-02 08:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-07-29 21:56 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=62857998c5f69aee1249db870b0fb08af9012fb9
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b060880c8747a8234c2334691dfe04a60b705a15
Log: Fixed bug #67399 (putenv with empty variable may lead to crash)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 14:01:37 2017 UTC