Fix GH-15496: Fix accessing NULL pointer on output handler stack

alexandre-daubois · alexandre-daubois · commit 88a94f85447a · 2025-08-11T11:38:39.000+02:00
diff --git a/ext/standard/tests/gh15496_original_reproducer.phpt b/ext/standard/tests/gh15496_original_reproducer.phpt
@@ -0,0 +1,54 @@
+--TEST--
+GH-15496: Session handler ob_start crash
+--FILE--
+<?php
+class MySessionHandler implements SessionHandlerInterface
+{
+    public function open ($save_path, $session_name): bool
+    {
+        return true;
+    }
+
+    public function close(): bool
+    {
+      return true;
+    }
+
+    public function read($id): string
+    {
+        return '';
+    }
+
+    public function write($id, $sess_data): bool
+    {
+        ob_start(function () {});
+
+        return true;
+    }
+
+    public function destroy($id): bool
+    {
+        return true;
+    }
+
+    public function gc($maxlifetime): int
+    {
+        return 0;
+    }
+}
+
+session_set_save_handler(new MySessionHandler());
+session_start();
+
+ob_start(function() {
+    var_dump($b);
+});
+
+while (1) {
+    $a[] = 1;
+}
+?>
+--EXPECTF--
+Fatal error: {closure%s}(): Cannot use output buffering in output buffering display handlers in %s on line %d
+
+Notice: ob_start(): Failed to create buffer in %s on line %d
diff --git a/main/output.c b/main/output.c
@@ -538,6 +538,9 @@ PHPAPI int php_output_handler_start(php_output_handler *handler)
 	if (php_output_lock_error(PHP_OUTPUT_HANDLER_START) || !handler) {
 		return FAILURE;
 	}
+	if (!(OG(flags) & PHP_OUTPUT_ACTIVATED)) {
+		return FAILURE;
+	}
 	if (NULL != (conflict = zend_hash_find_ptr(&php_output_handler_conflicts, handler->name))) {
 		if (SUCCESS != conflict(ZSTR_VAL(handler->name), ZSTR_LEN(handler->name))) {
 			return FAILURE;
