From 42b22d3a9418e948fddf896dbe37536c6cc12f43 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 25 Jun 2019 13:08:28 +0200
Subject: [PATCH] Fix out of bounds write in phpdbg

It seems that this code has a peculiar interpretation of "len",
where it actually points to the last character, not one past it.
So we need +1 here for that extra char and another +1 for the
terminating null byte.
---
 sapi/phpdbg/phpdbg_prompt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index 248391b188..f2f20ae75b 100644
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -838,7 +838,7 @@ PHPDBG_COMMAND(run) /* {{{ */
 			while (*p == ' ') p++;
 			while (*p) {
 				char sep = ' ';
-				char *buf = emalloc(end - p + 1), *q = buf;
+				char *buf = emalloc(end - p + 2), *q = buf;
 
 				if (*p == '<') {
 					/* use as STDIN */
-- 
2.40.0