Merge branch 'PHP-8.4' into PHP-8.5

ndossche · ndossche · commit c35224e11cc5 · 2025-12-19T19:37:11.000+01:00
* PHP-8.4: Fix GH-20352: UAF in php_output_handler_free via re-entrant ob_start() during error deactivation
diff --git a/NEWS b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing
     malformed INI input via parse_ini_string()). (ndossche)
   . Fixed bug GH-20714 (Uncatchable exception thrown in generator). (ilutov)
+  . Fixed bug GH-20352 (UAF in php_output_handler_free via re-entrant
+    ob_start() during error deactivation). (ndossche)
 
 - DOM:
   . Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning
diff --git a/main/output.c b/main/output.c
@@ -187,8 +187,12 @@ PHPAPI void php_output_deactivate(void)
 		/* release all output handlers */
 		if (OG(handlers).elements) {
 			while ((handler = zend_stack_top(&OG(handlers)))) {
-				php_output_handler_free(handler);
 				zend_stack_del_top(&OG(handlers));
+				/* It's possible to start a new output handler and mark it as active,
+				 * however this loop will destroy all active handlers. */
+				OG(active) = NULL;
+				ZEND_ASSERT(OG(running) == NULL && "output is deactivated therefore running should stay NULL");
+				php_output_handler_free(handler);
 			}
 		}
 		zend_stack_destroy(&OG(handlers));
@@ -718,10 +722,11 @@ PHPAPI void php_output_handler_dtor(php_output_handler *handler)
  * Destroy and free an output handler */
 PHPAPI void php_output_handler_free(php_output_handler **h)
 {
-	if (*h) {
-		php_output_handler_dtor(*h);
-		efree(*h);
+	php_output_handler *handler = *h;
+	if (handler) {
 		*h = NULL;
+		php_output_handler_dtor(handler);
+		efree(handler);
 	}
 }
 /* }}} */
diff --git a/tests/output/gh20352.phpt b/tests/output/gh20352.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-20352 (UAF in php_output_handler_free via re-entrant ob_start() during error deactivation)
+--FILE--
+<?php
+class Test {
+    public function __destruct() {
+        // Spray output stack
+        for ($i = 0; $i < 1000; $i++)
+            ob_start(static function() {});
+    }
+
+    public function __invoke($x) {
+        // Trigger php_output_deactivate() through forbidden operation
+        ob_start('foo');
+        return $x;
+    }
+}
+
+ob_start(new Test, 1);
+
+echo "trigger bug";
+?>
+--EXPECTF--
+Fatal error: ob_start(): Cannot use output buffering in output buffering display handlers in %s on line %d

Original file line number	Diff line number	Diff line change
`@@ -187,8 +187,12 @@ PHPAPI void php_output_deactivate(void)`
`187`	`187`	`/* release all output handlers */`
`188`	`188`	`if (OG(handlers).elements) {`
`189`	`189`	`while ((handler = zend_stack_top(&OG(handlers)))) {`
`190`		`- php_output_handler_free(handler);`
`191`	`190`	`zend_stack_del_top(&OG(handlers));`
	`191`	`+ /* It's possible to start a new output handler and mark it as active,`
	`192`	`+ * however this loop will destroy all active handlers. */`
	`193`	`+ OG(active) = NULL;`
	`194`	`+ ZEND_ASSERT(OG(running) == NULL && "output is deactivated therefore running should stay NULL");`
	`195`	`+ php_output_handler_free(handler);`
`192`	`196`	`}`
`193`	`197`	`}`
`194`	`198`	`zend_stack_destroy(&OG(handlers));`
`@@ -718,10 +722,11 @@ PHPAPI void php_output_handler_dtor(php_output_handler *handler)`
`718`	`722`	`* Destroy and free an output handler */`
`719`	`723`	`PHPAPI void php_output_handler_free(php_output_handler **h)`
`720`	`724`	`{`
`721`		`- if (*h) {`
`722`		`- php_output_handler_dtor(*h);`
`723`		`- efree(*h);`
	`725`	`+ php_output_handler handler = h;`
	`726`	`+ if (handler) {`
`724`	`727`	`*h = NULL;`
	`728`	`+ php_output_handler_dtor(handler);`
	`729`	`+ efree(handler);`
`725`	`730`	`}`
`726`	`731`	`}`
`727`	`732`	`/* }}} */`