From 1b4d38aa2d65ff09abd14cbe6a2f974adf1a30e5 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 16 Jan 2023 23:09:58 +0100
Subject: [PATCH] Fix phpdbg segmentation fault in case of malformed input

If you were to enter "w $>" the function would crash with a segmentation
fault because last_index is still NULL at that point. Fix it by checking
for NULL and erroring out if it is.
---
 sapi/phpdbg/phpdbg_utils.c       |  3 +++
 sapi/phpdbg/tests/watch_007.phpt | 25 +++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 sapi/phpdbg/tests/watch_007.phpt

diff --git a/sapi/phpdbg/phpdbg_utils.c b/sapi/phpdbg/phpdbg_utils.c
index 344b9c73e476d..f638d608905ba 100644
--- a/sapi/phpdbg/phpdbg_utils.c
+++ b/sapi/phpdbg/phpdbg_utils.c
@@ -466,6 +466,9 @@ PHPDBG_API int phpdbg_parse_variable_with_arg(char *input, size_t len, HashTable
 				case ']':
 					break;
 				case '>':
+					if (!last_index) {
+						goto error;
+					}
 					if (last_index[index_len - 1] == '-') {
 						new_index = 1;
 						index_len--;
diff --git a/sapi/phpdbg/tests/watch_007.phpt b/sapi/phpdbg/tests/watch_007.phpt
new file mode 100644
index 0000000000000..f1980d60dd9de
--- /dev/null
+++ b/sapi/phpdbg/tests/watch_007.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Test malformed watchpoint name
+--INI--
+opcache.optimization_level=0
+--PHPDBG--
+b test
+r
+w $>
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> [Breakpoint #0 added at test]
+prompt> [Breakpoint #0 in test() at %s:%d, hits: 1]
+>00004: }
+ 00005: test();
+ 00006: $a = 2;
+prompt> [Malformed input]
+prompt>
+--FILE--
+<?php
+$a = 1;
+function test() {
+}
+test();
+$a = 2;