Segmentation fault (access null pointer) in Zend/zend_stack.c

[YuanchengJiang]

Description

The following code:

<?php
class MySessionHandler implements SessionHandlerInterface {
    public function open ($save_path, $session_name): bool {
        return true;
    }
    public function close(): bool {}
    public function read($id): string {
        return '';
    }
    public function write($id, $sess_data): bool {
        ob_start(function () {});
    }
    public function destroy($id): bool {}
    public function gc($maxlifetime): int {}
}

session_set_save_handler(new MySessionHandler());
session_start();

ob_start(function() {
    var_dump($b);
});

while (1) {
    $a[] = 1;
}

Resulted in this output:

/php-src/Zend/zend_stack.c:40:9: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/Zend/zend_stack.c:40:9

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[cmb69]

From a quick look, that seems to be another output buffering issue.

[iluuu1994]

I had a look, and what I believe is happening:

• The session handler is registered. It's only job is to trigger on shutdown.
• ob_start() handler is registered, emitting some warning (undefined variable).
• We OOM, which invokes php_output_discard_all().
  

  php-src/main/main.c

  Lines 1335 to 1337 in 6b809c8

  	if (zend_alloc_in_memory_limit_error_reporting()) {
  	php_output_discard_all();
  	}

• As part of discarding output buffers, we invoke them. $b triggers another error, again invoking php_output_discard_all().
• This time, the output handler is locked. When this happens, php_output_deactivate() is called, and then we error again, which includes zend_bailout().
  

  php-src/main/output.c

  Lines 762 to 765 in 6b809c8

  	if (op && OG(active) && OG(running)) {
  	/* fatal error */
  	php_output_deactivate();
  	php_error_docref("ref.outcontrol", E_ERROR, "Cannot use output buffering in output buffering display handlers");

• On shutdown, the session handler invokes, which calls op_start(). However, OG(handlers) has already been destroyed, so we get a NULL pointer exception.

With all of that said, I don't know what the best approach is to fix this. Maybe we just don't trigger the handler when cleaning the output? I really don't know much about output buffering.