From 67ce8759e87bff6ff783d081cb7780d508197220 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 3 Aug 2024 00:56:17 +0200
Subject: [PATCH] Fix GH-15179: Segmentation fault (null pointer dereference)
 in ext/standard/url_scanner_ex.re

Based on analysis by Ilija: https://github.com/php/php-src/issues/15179#issuecomment-2261546902

* Apply suggestions from code review

Closes GH-15206.

Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
---
 NEWS                           |  4 ++++
 ext/standard/url_scanner_ex.re |  7 ++++++-
 tests/output/gh15179.phpt      | 18 ++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 tests/output/gh15179.phpt

diff --git a/NEWS b/NEWS
index b2db9a9697d..a86d3c59aca 100644
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-13775 (Memory leak possibly related to opcache SHM placement).
     (Arnaud, nielsdos)
 
+- Output:
+  . Fixed bug GH-15179 (Segmentation fault (null pointer dereference) in
+    ext/standard/url_scanner_ex.re). (nielsdos)
+
 - PDO_Firebird:
   . Fix bogus fallthrough path in firebird_handle_get_attribute(). (nielsdos)
 
diff --git a/ext/standard/url_scanner_ex.re b/ext/standard/url_scanner_ex.re
index 77b4d79793b..b22cf3cc49c 100644
--- a/ext/standard/url_scanner_ex.re
+++ b/ext/standard/url_scanner_ex.re
@@ -736,6 +736,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
 	zend_string *encoded;
 	url_adapt_state_ex_t *url_state;
 	php_output_handler_func_t handler;
+	bool should_start = false;
 
 	if (type) {
 		url_state = &BG(url_adapt_session_ex);
@@ -747,7 +748,7 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
 
 	if (!url_state->active) {
 		php_url_scanner_ex_activate(type);
-		php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
+		should_start = true;
 		url_state->active = 1;
 	}
 
@@ -786,6 +787,10 @@ static inline int php_url_scanner_add_var_impl(const char *name, size_t name_len
 	smart_str_free(&hname);
 	smart_str_free(&hvalue);
 
+	if (should_start) {
+		php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
+	}
+
 	return SUCCESS;
 }
 
diff --git a/tests/output/gh15179.phpt b/tests/output/gh15179.phpt
new file mode 100644
index 00000000000..207728446df
--- /dev/null
+++ b/tests/output/gh15179.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-15179 (Segmentation fault (null pointer dereference) in ext/standard/url_scanner_ex.re)
+--CREDITS--
+YuanchengJiang
+--INI--
+memory_limit=64M
+--SKIPIF--
+<?php
+if (getenv("USE_ZEND_ALLOC") === "0") die("skip requires ZendMM");
+?>
+--FILE--
+<?php
+$var = str_repeat('a', 20 * 1024 * 1024);
+
+output_add_rewrite_var($var, $var);
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of %d bytes exhausted %s