From a6d17bffe115a0bbed8a3260ef588124e20973f8 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 17 Dec 2023 01:35:15 +0100
Subject: [PATCH] Fix GH-12962: Double free of init_file in phpdbg_prompt.c

See GH-12962 for analysis.

Closes GH-12963.
---
 NEWS                                  |  3 +++
 sapi/phpdbg/phpdbg_prompt.c           |  2 +-
 sapi/phpdbg/tests/gh12962.phpt        | 13 +++++++++++++
 sapi/phpdbg/tests/gh12962/.phpdbginit |  2 ++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 sapi/phpdbg/tests/gh12962.phpt
 create mode 100644 sapi/phpdbg/tests/gh12962/.phpdbginit

diff --git a/NEWS b/NEWS
index 4a53cc18122..f86e393a461 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
   . Added workaround for SELinux mprotect execheap issue.
     See https://bugzilla.kernel.org/show_bug.cgi?id=218258. (ilutov)
 
+- PHPDBG:
+  . Fixed bug GH-12962 (Double free of init_file in phpdbg_prompt.c). (nielsdos)
+
 21 Dec 2023, PHP 8.2.14
 
 - Core:
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index ffc40cb0c96..994ac829b0a 100644
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -364,7 +364,7 @@ void phpdbg_init(char *init_file, size_t init_file_len, bool use_default) /* {{{
 			}
 
 			ZEND_IGNORE_VALUE(asprintf(&init_file, "%s/%s", scan_dir, PHPDBG_INIT_FILENAME));
-			phpdbg_try_file_init(init_file, strlen(init_file), 1);
+			phpdbg_try_file_init(init_file, strlen(init_file), 0);
 			free(init_file);
 			if (i == -1) {
 				break;
diff --git a/sapi/phpdbg/tests/gh12962.phpt b/sapi/phpdbg/tests/gh12962.phpt
new file mode 100644
index 00000000000..c5cf9425d7c
--- /dev/null
+++ b/sapi/phpdbg/tests/gh12962.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-12962 (Double free of init_file in phpdbg_prompt.c)
+--SKIPIF--
+<?php
+if (!getenv('TEST_PHPDBG_EXECUTABLE')) die("SKIP: No TEST_PHPDBG_EXECUTABLE specified");
+?>
+--FILE--
+<?php
+putenv('PHP_INI_SCAN_DIR='.__DIR__."/gh12962");
+passthru($_ENV['TEST_PHPDBG_EXECUTABLE'] . " -q");
+?>
+--EXPECT--
+Executed .phpdbginit
diff --git a/sapi/phpdbg/tests/gh12962/.phpdbginit b/sapi/phpdbg/tests/gh12962/.phpdbginit
new file mode 100644
index 00000000000..29184ddf7c8
--- /dev/null
+++ b/sapi/phpdbg/tests/gh12962/.phpdbginit
@@ -0,0 +1,2 @@
+ev "Executed .phpdbginit"
+q