From 5447473785b9410bf895c36a6ace065bdab55d7a Mon Sep 17 00:00:00 2001
From: ndossche <niels.dossche@ugent.be>
Date: Thu, 30 Jan 2025 10:29:46 +0100
Subject: [PATCH 1/2] Partially fix GH-17387

The length of the string should be set to the truncated length (that was
used to duplicate the input anyway).
---
 NEWS                       | 3 +++
 sapi/phpdbg/phpdbg_lexer.l | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 036d6113444..7c51ecc121c 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-17623 (Broken stack overflow detection for variable
     compilation). (ilutov)
 
+- PHPDBG:
+  . Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)
+
 13 Feb 2025, PHP 8.3.17
 
 - Core:
diff --git a/sapi/phpdbg/phpdbg_lexer.l b/sapi/phpdbg/phpdbg_lexer.l
index 6245262a005..60d995526ea 100644
--- a/sapi/phpdbg/phpdbg_lexer.l
+++ b/sapi/phpdbg/phpdbg_lexer.l
@@ -160,8 +160,9 @@ INPUT       ("\\"[#"']|["]("\\\\"|"\\"["]|[^\n\000"])*["]|[']("\\"[']|"\\\\"|[^\
 
 <NORMAL>{GENERIC_ID} {
 	phpdbg_init_param(yylval, STR_PARAM);
-	yylval->str = estrndup(yytext, yyleng - unescape_string(yytext));
-	yylval->len = yyleng;
+	size_t len = yyleng - unescape_string(yytext);
+	yylval->str = estrndup(yytext, len);
+	yylval->len = len;
 	return T_ID;
 }
 

From 62bbfdebaa0458eee31bb015b507f36653fcdf5c Mon Sep 17 00:00:00 2001
From: ndossche <niels.dossche@ugent.be>
Date: Thu, 30 Jan 2025 10:30:25 +0100
Subject: [PATCH 2/2] Fix memory leak in phpdbg calling registered function

Closes GH-17635.
---
 NEWS                                          |  1 +
 sapi/phpdbg/phpdbg_prompt.c                   |  3 +++
 sapi/phpdbg/tests/register_function_leak.phpt | 24 +++++++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 sapi/phpdbg/tests/register_function_leak.phpt

diff --git a/NEWS b/NEWS
index 7c51ecc121c..ca459617aaf 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ PHP                                                                        NEWS
 
 - PHPDBG:
   . Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)
+  . Fix memory leak in phpdbg calling registered function. (nielsdos)
 
 13 Feb 2025, PHP 8.3.17
 
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index 5276d62ee29..e43bf647c76 100644
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -189,6 +189,9 @@ static inline int phpdbg_call_register(phpdbg_param_t *stack) /* {{{ */
 
 			zval_ptr_dtor_str(&fci.function_name);
 			efree(lc_name);
+			if (fci.named_params) {
+				zend_array_destroy(fci.named_params);
+			}
 
 			return SUCCESS;
 		}
diff --git a/sapi/phpdbg/tests/register_function_leak.phpt b/sapi/phpdbg/tests/register_function_leak.phpt
new file mode 100644
index 00000000000..b5416ea95bc
--- /dev/null
+++ b/sapi/phpdbg/tests/register_function_leak.phpt
@@ -0,0 +1,24 @@
+--TEST--
+registering a function and calling it leaks arguments memory
+--FILE--
+<?php
+echo "Done\n";
+?>
+--PHPDBG--
+register var_dump
+var_dump "a" "b"
+register flush
+flush
+r
+q
+--EXPECTF--
+[Successful compilation of %s]
+prompt> [Registered var_dump]
+prompt> string(1) "a"
+string(1) "b"
+
+prompt> [Registered flush]
+prompt> 
+prompt> Done
+[Script ended normally]
+prompt>