From 8a416bbda3eaac76819d8859d29395945f2423b9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 31 Jul 2024 21:46:53 +0200
Subject: [PATCH] Fix GH-15181: Disabled output handler is flushed again

When an `PHP_OUTPUT_HANDLER_FAILURE` occurs, the output handler becomes
disabled (i.e. the `PHP_OUTPUT_HANDLER_DISABLED` flag is set).  However,
there is no guard for disabled handlers in `php_output_handler_op()`
what may cause serious issues (as reported, UB due to passing `NULL` as
the 2nd argument of `memcpy`, because the handler's buffer has already
been `NULL`ed).  Therefore, we add a respective guard for disabled
handlers, and return `PHP_OUTPUT_HANDLER_FAILURE` right away.
---
 main/output.c             |  4 ++++
 tests/output/gh15181.phpt | 15 +++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 tests/output/gh15181.phpt

diff --git a/main/output.c b/main/output.c
index c6ac741cab1fc..ef6be672d1c16 100644
--- a/main/output.c
+++ b/main/output.c
@@ -925,6 +925,10 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 	);
 #endif
 
+	if (handler->flags & PHP_OUTPUT_HANDLER_DISABLED) {
+		return PHP_OUTPUT_HANDLER_FAILURE;
+	}
+
 	if (php_output_lock_error(context->op)) {
 		/* fatal error */
 		return PHP_OUTPUT_HANDLER_FAILURE;
diff --git a/tests/output/gh15181.phpt b/tests/output/gh15181.phpt
new file mode 100644
index 0000000000000..5fa5c272b3992
--- /dev/null
+++ b/tests/output/gh15181.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Fix GH-15181 (Disabled output handler is flushed again)
+--FILE--
+<?php
+ob_start(function () {
+    throw new Exception('ob_start');
+});
+try {
+    ob_flush();
+} catch (Throwable) {}
+ob_flush();
+?>
+===DONE===
+--EXPECT--
+===DONE===