Fix phpdbg segmentation fault in case of malformed input

If you were to enter "w $>" the function would crash with a segmentation fault because last_index is still NULL at that point. Fix it by checking for NULL and erroring out if it is. Closes GH-10353 Signed-off-by: George Peter Banyard <girgias@php.net>
2024-11-27 11:53:33 +08:00 · 2023-01-16 23:09:58 +01:00 · 2023-01-16 23:09:58 +01:00 · 398a10a58a
commit 398a10a58a
parent dfe9c2af19
3 changed files with 29 additions and 0 deletions
--- a/1
+++ b/1
@ -46,6 +46,7 @@ PHP                                                                        NEWS
  . Fix undefined behaviour in phpdbg_load_module_or_extension(). (nielsdos)
  . Fix NULL pointer dereference in phpdbg_create_conditional_breal(). (nielsdos)
  . Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
+  . Fix phpdbg segmentation fault in case of malformed input (nielsdos)

 - Posix:
  . Fix memory leak in posix_ttyname() (girgias)
--- a/sapi/phpdbg/phpdbg_utils.c
+++ b/sapi/phpdbg/phpdbg_utils.c
@ -466,6 +466,9 @@ PHPDBG_API int phpdbg_parse_variable_with_arg(char *input, size_t len, HashTable
 				case ']':
 					break;
 				case '>':
+					if (!last_index) {
+						goto error;
+					}
 					if (last_index[index_len - 1] == '-') {
 						new_index = 1;
 						index_len--;
--- a/sapi/phpdbg/tests/watch_007.phpt
+++ b/sapi/phpdbg/tests/watch_007.phpt
@ -0,0 +1,25 @@
+--TEST--
+Test malformed watchpoint name
+--INI--
+opcache.optimization_level=0
+--PHPDBG--
+b test
+r
+w $>
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> [Breakpoint #0 added at test]
+prompt> [Breakpoint #0 in test() at %s:%d, hits: 1]
+>00004: }
+ 00005: test();
+ 00006: $a = 2;
+prompt> [Malformed input]
+prompt>
+--FILE--
+<?php
+$a = 1;
+function test() {
+}
+test();
+$a = 2;