Double free of init_file in phpdbg_prompt.c

### Description

Pointer `init_file` is passed to a function `free` at phpdbg_prompt.c:368 by calling function after the referenced memory was deallocated at phpdbg_prompt.c:333 by passing as first parameter to function `phpdbg_try_file_init` at phpdbg_prompt.c:367.

1. In line 367 `init_file` is passed to function `phpdbg_try_file_init` and variable `free_init` (last parameter) is set to 1:
https://github.com/php/php-src/blob/38bd30547391f8afb07a790ee0922170aabda2be/sapi/phpdbg/phpdbg_prompt.c#L367-L368
2. Then `init_file` is freed in function `phpdbg_try_file_init`:
https://github.com/php/php-src/blob/38bd30547391f8afb07a790ee0922170aabda2be/sapi/phpdbg/phpdbg_prompt.c#L332-L334
3. `init_file` is freed again in line 368:
https://github.com/php/php-src/blob/38bd30547391f8afb07a790ee0922170aabda2be/sapi/phpdbg/phpdbg_prompt.c#L367-L368

This is probably a small typo, as there is a counterexample here (`free_init` is set to 0):
https://github.com/php/php-src/blob/38bd30547391f8afb07a790ee0922170aabda2be/sapi/phpdbg/phpdbg_prompt.c#L348-L349

Found by Linux Verification Center ([portal.linuxtesting.ru](http://portal.linuxtesting.ru/)) with SVACE.
Author A. Burke.

### PHP Version

PHP 8.2.3

### Operating System

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Double free of init_file in phpdbg_prompt.c #12962

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	phpdbg_try_file_init(init_file, strlen(init_file), 1);
	free(init_file);

	phpdbg_try_file_init(sys_ini, strlen(sys_ini), 0);
	free(sys_ini);

	if (free_init) {
	free(init_file);
	}

Double free of init_file in phpdbg_prompt.c #12962

Description

Description

PHP Version

Operating System

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions