2 files changed, 16 insertions, 8 deletions

diff --git a/NEWS b/NEWS
index 41e74c1cc0..bd988d9b1a 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? Jan 2006, PHP 5.1.2RC2
 - Added constants for libxslt and libexslt versions: LIBXSLT_VERSION,
   LIBXSLT_DOTTED_VERSION, LIBEXSLT_VERSION and LIBEXSLT_DOTTED_VERSION. (Pierre)
+- Fixed possible crash in apache_getenv()/apache_setenv() on invalid parameters.
+  (Ilia)
 - Changed errors to warnings in imagecolormatch(). (Pierre)
 - Fixed segfault/leak in imagecolormatch(). (Pierre)
 - Fixed small leak in mysqli_stmt_fetch() when bound variable was empty string.
diff --git a/sapi/apache2handler/php_functions.c b/sapi/apache2handler/php_functions.c
index fc987ec531..2df54c5d45 100644
--- a/sapi/apache2handler/php_functions.c
+++ b/sapi/apache2handler/php_functions.c
@@ -264,10 +264,13 @@ PHP_FUNCTION(apache_setenv)
 	ctx = SG(server_context);
 
 	r = ctx->r;
-	if (arg_count == 3 && Z_STRVAL_PP(walk_to_top)) {
-		while(r->prev) {
-			r = r->prev;
-		}	
+	if (arg_count == 3) {
+		convert_to_boolean_ex(walk_to_top);
+		if (Z_LVAL_PP(walk_to_top)) {
+			while(r->prev) {
+				r = r->prev;
+			}
+		}
 	}
 
 	convert_to_string_ex(variable);
@@ -300,10 +303,13 @@ PHP_FUNCTION(apache_getenv)
 	ctx = SG(server_context);
 
 	r = ctx->r;
-	if (arg_count == 2 && Z_STRVAL_PP(walk_to_top)) {
-		while(r->prev) {
-			r = r->prev;
-		}	
+	if (arg_count == 2) {
+		convert_to_boolean_ex(walk_to_top);
+		if (Z_LVAL_PP(walk_to_top)) {
+			while(r->prev) {
+				r = r->prev;
+			}
+		}
 	}
 
 	convert_to_string_ex(variable);