From 398a10a58a764a18723bea394afdeac92f881e10 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 16 Jan 2023 23:09:58 +0100
Subject: [PATCH] Fix phpdbg segmentation fault in case of malformed input

If you were to enter "w $>" the function would crash with a segmentation
fault because last_index is still NULL at that point. Fix it by checking
for NULL and erroring out if it is.

Closes GH-10353

Signed-off-by: George Peter Banyard <girgias@php.net>
---
 NEWS                             |  1 +
 sapi/phpdbg/phpdbg_utils.c       |  3 +++
 sapi/phpdbg/tests/watch_007.phpt | 25 +++++++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 sapi/phpdbg/tests/watch_007.phpt

diff --git a/NEWS b/NEWS
index a8a72492a96..069ae40f597 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,7 @@ PHP                                                                        NEWS
   . Fix undefined behaviour in phpdbg_load_module_or_extension(). (nielsdos)
   . Fix NULL pointer dereference in phpdbg_create_conditional_breal(). (nielsdos)
   . Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
+  . Fix phpdbg segmentation fault in case of malformed input (nielsdos)
 
 - Posix:
   . Fix memory leak in posix_ttyname() (girgias)
diff --git a/sapi/phpdbg/phpdbg_utils.c b/sapi/phpdbg/phpdbg_utils.c
index 344b9c73e47..f638d608905 100644
--- a/sapi/phpdbg/phpdbg_utils.c
+++ b/sapi/phpdbg/phpdbg_utils.c
@@ -466,6 +466,9 @@ PHPDBG_API int phpdbg_parse_variable_with_arg(char *input, size_t len, HashTable
 				case ']':
 					break;
 				case '>':
+					if (!last_index) {
+						goto error;
+					}
 					if (last_index[index_len - 1] == '-') {
 						new_index = 1;
 						index_len--;
diff --git a/sapi/phpdbg/tests/watch_007.phpt b/sapi/phpdbg/tests/watch_007.phpt
new file mode 100644
index 00000000000..f1980d60dd9
--- /dev/null
+++ b/sapi/phpdbg/tests/watch_007.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Test malformed watchpoint name
+--INI--
+opcache.optimization_level=0
+--PHPDBG--
+b test
+r
+w $>
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> [Breakpoint #0 added at test]
+prompt> [Breakpoint #0 in test() at %s:%d, hits: 1]
+>00004: }
+ 00005: test();
+ 00006: $a = 2;
+prompt> [Malformed input]
+prompt>
+--FILE--
+<?php
+$a = 1;
+function test() {
+}
+test();
+$a = 2;