Fix out of bounds write in phpdbg

It seems that this code has a peculiar interpretation of "len",
where it actually points to the last character, not one past it.
So we need +1 here for that extra char and another +1 for the
terminating null byte.

Author: nikic

sapi/phpdbg/phpdbg_prompt.c

@@ -838,7 +838,7 @@ PHPDBG_COMMAND(run) /* {{{ */
 			while (*p == ' ') p++;
 			while (*p) {
 				char sep = ' ';
-				char *buf = emalloc(end - p + 1), *q = buf;
+				char *buf = emalloc(end - p + 2), *q = buf;
 
 				if (*p == '<') {
 					/* use as STDIN */