Heap use-after-free in phpdbg (zend_hash.c:57 in _zend_is_inconsistent)

[YuanchengJiang]

Description

The following code:

<?php
header_register_callback(function() { echo "sent";});
$a = [0];
$a[0] = 1;
$b = &$a;
$a[0] = 2;
$a[1] = 3;
$c = [1];
$b = &$c;
?>

Resulted in this output:

Segmentation fault (core dumped)

To reproduce:

phpdbg ./test.php
> b 4
> r
> w $a[0]
> w r $b
> c
> q

(I guess the bug for phpdbg might not be exploitable? so I make it public)

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[devnexen]

Thanks I ll try to have a look within the next days both phpdbg issues.