From 887e6b9c4569418bad981fe5c6a61b3974ce3f7d Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 31 Jul 2024 21:46:53 +0200 Subject: [PATCH] Fix GH-15181: Disabled output handler is flushed again When an `PHP_OUTPUT_HANDLER_FAILURE` occurs, the output handler becomes disabled (i.e. the `PHP_OUTPUT_HANDLER_DISABLED` flag is set). However, there is no guard for disabled handlers in `php_output_handler_op()` what may cause serious issues (as reported, UB due to passing `NULL` as the 2nd argument of `memcpy`, because the handler's buffer has already been `NULL`ed). Therefore, we add a respective guard for disabled handlers, and return `PHP_OUTPUT_HANDLER_FAILURE` right away. Closes GH-15183. --- NEWS | 1 + main/output.c | 4 ++++ tests/output/gh15181.phpt | 15 +++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 tests/output/gh15181.phpt diff --git a/NEWS b/NEWS index 20bb9148200..bc6f12e479c 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,7 @@ PHP NEWS . Fixed bug GH-15240 (Infinite recursion in trait hook). (ilutov) . Fixed bug GH-15140 (Missing variance check for abstract set with asymmetric type). (ilutov) + . Fixed bug GH-15181 (Disabled output handler is flushed again). (cmb) - Date: . Constants SUNFUNCS_RET_TIMESTAMP, SUNFUNCS_RET_STRING, and SUNFUNCS_RET_DOUBLE diff --git a/main/output.c b/main/output.c index c6ac741cab1..ef6be672d1c 100644 --- a/main/output.c +++ b/main/output.c @@ -925,6 +925,10 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl ); #endif + if (handler->flags & PHP_OUTPUT_HANDLER_DISABLED) { + return PHP_OUTPUT_HANDLER_FAILURE; + } + if (php_output_lock_error(context->op)) { /* fatal error */ return PHP_OUTPUT_HANDLER_FAILURE; diff --git a/tests/output/gh15181.phpt b/tests/output/gh15181.phpt new file mode 100644 index 00000000000..5fa5c272b39 --- /dev/null +++ b/tests/output/gh15181.phpt @@ -0,0 +1,15 @@ +--TEST-- +Fix GH-15181 (Disabled output handler is flushed again) +--FILE-- + +===DONE=== +--EXPECT-- +===DONE===