Fix GH-10715: phpdbg heap buffer overflow -- by misuse of the option "--run"

nielsdos · devnexen · commit 0f21cbc57c0f · 2023-02-27T19:47:55.000Z
Fixes GH-10715 When a string starting with a NUL character is passed to phpdbg_vprint(), the vasprintf() will return that 0 characters have been printed. This causes msglen == 0. When phpdbg_process_print() is called with a message of length 0, the -1 to check for '\n' will perform an out of bounds read. Since nothing is printed anyway for msglen == 0, it seems best to just skip the printing routine for this case. Closes GH-10720.
diff --git a/NEWS b/NEWS
@@ -61,6 +61,9 @@ PHP                                                                        NEWS
   . Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
     (Michael Voříšek)
 
+- PHPDBG:
+  . Fixed bug GH-10715 (heap buffer overflow on --run option misuse). (nielsdos)
+
 - PGSQL:
   . Fix GH-10672 (pg_lo_open segfaults in the strict_types mode). (girgias)
 
diff --git a/sapi/phpdbg/phpdbg_out.c b/sapi/phpdbg/phpdbg_out.c
@@ -143,7 +143,11 @@ PHPDBG_API int phpdbg_vprint(int type, int fd, const char *strfmt, va_list args)
 		return msglen;
 	}
 
-	len = phpdbg_process_print(fd, type, msg, msglen);
+	if (UNEXPECTED(msglen == 0)) {
+		len = 0;
+	} else {
+		len = phpdbg_process_print(fd, type, msg, msglen);
+	}
 
 	if (msg) {
 		free(msg);
diff --git a/sapi/phpdbg/tests/gh10715.phpt b/sapi/phpdbg/tests/gh10715.phpt
