Trivial crash in phpdbg lexer

[nielsdos]

Description

The following reproducer in phpdbg prompt:

a';
<empty line and enter>

Gives the following output:

$ ./sapi/phpdbg/phpdbg 
[Welcome to phpdbg, the interactive PHP debugger, v8.5.0-dev]
To get help using phpdbg type "help" and press enter
[Please report bugs to <https://github.com/php/php-src/issues>]
prompt> a';
[PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted at sapi/phpdbg/phpdbg_lexer.l:163 (tried to allocate 4294967289 bytes) in Unknown on line 0]
[Could not find information about included file...]
prompt> 
zend_mm_heap corrupted
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4143==ERROR: AddressSanitizer: SEGV on unknown address 0x03e80000102f (pc 0x7acd9aedc3db bp 0x7fffbe938570 sp 0x7fffbe938558 T0)
==4143==The signal is caused by a READ memory access.
    #0 0x7acd9aedc3db in kill (/usr/lib/libc.so.6+0x3d3db) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #1 0x63b71750934e in zend_mm_panic /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:396
    #2 0x63b71750c59f in zend_mm_get_next_free_slot /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:1326
    #3 0x63b71750cdc2 in zend_mm_alloc_small /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:1410
    #4 0x63b71750d32b in zend_mm_alloc_heap /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:1488
    #5 0x63b71751387d in _zend_mm_alloc /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:2530
    #6 0x63b717a43525 in phpdbg_malloc_wrapper /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg.c:1079
    #7 0x63b71751409f in _emalloc /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:2737
    #8 0x63b717514856 in _estrdup /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:2818
    #9 0x63b7179bd86e in phpdbg_read_input /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg_cmd.c:779
    #10 0x63b717a14c12 in phpdbg_interactive /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg_prompt.c:1534
    #11 0x63b717a3fbdf in php_sapi_phpdbg_log_message /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg.c:768
    #12 0x63b717353382 in php_log_err_with_severity /run/media/niels/MoreData/php-src/main/main.c:925
    #13 0x63b71735625e in php_error_cb /run/media/niels/MoreData/php-src/main/main.c:1393
    #14 0x63b717994815 in zend_error_zstr_at /run/media/niels/MoreData/php-src/Zend/zend.c:1495
    #15 0x63b717995dbb in zend_error_va_list /run/media/niels/MoreData/php-src/Zend/zend.c:1597
    #16 0x63b717996b6d in zend_error_noreturn /run/media/niels/MoreData/php-src/Zend/zend.c:1705
    #17 0x63b71750957c in zend_mm_safe_error /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:413
    #18 0x63b71750f682 in zend_mm_alloc_huge /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:1941
    #19 0x63b71750d5f9 in zend_mm_alloc_heap /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:1513
    #20 0x63b71751387d in _zend_mm_alloc /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:2530
    #21 0x63b717a43525 in phpdbg_malloc_wrapper /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg.c:1079
    #22 0x63b71751409f in _emalloc /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:2737
    #23 0x63b7175148f0 in _estrndup /run/media/niels/MoreData/php-src/Zend/zend_alloc.c:2830
    #24 0x63b7179d5340 in phpdbg_lex sapi/phpdbg/phpdbg_lexer.l:163
    #25 0x63b7179f2802 in phpdbg_parse /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg_parser.c:1329
    #26 0x63b7179f62ee in phpdbg_do_parse /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg_parser.y:200
    #27 0x63b717a14ec4 in phpdbg_interactive /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg_prompt.c:1541
    #28 0x63b717a48b37 in main /run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg.c:1612
    #29 0x7acd9aec4e07  (/usr/lib/libc.so.6+0x25e07) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #30 0x7acd9aec4ecb in __libc_start_main (/usr/lib/libc.so.6+0x25ecb) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #31 0x63b7168058e4 in _start (/run/media/niels/MoreData/php-src/sapi/phpdbg/phpdbg+0x6058e4) (BuildId: c8882f0fdc4e6671bd32a81fc1c7a6b3f0637e97)

PHP Version

8.3+

Operating System

No response

[nielsdos]

This is a buffer overread of the input in unescape_string, so that read should be bounded by the length, and the length field written to the parameter should be of the appropriate length as well. Fixing that however makes us end up in an infinite loop; so that implies there's a bug in the lexer/parser grammar itself probably as well.