Segmentation fault (access null pointer) in Zend/zend_stack.c

[YuanchengJiang]

Description

The following code:

<?php
class MySessionHandler implements SessionHandlerInterface {
    public function open ($save_path, $session_name): bool {
        return true;
    }
    public function close(): bool {}
    public function read($id): string {
        return '';
    }
    public function write($id, $sess_data): bool {
        ob_start(function () {});
    }
    public function destroy($id): bool {}
    public function gc($maxlifetime): int {}
}

session_set_save_handler(new MySessionHandler());
session_start();

ob_start(function() {
    var_dump($b);
});

while (1) {
    $a[] = 1;
}

Resulted in this output:

/php-src/Zend/zend_stack.c:40:9: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/Zend/zend_stack.c:40:9

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[cmb69]

From a quick look, that seems to be another output buffering issue.

[iluuu1994]

I had a look, and what I believe is happening:

• The session handler is registered. It's only job is to trigger on shutdown.
• ob_start() handler is registered, emitting some warning (undefined variable).
• We OOM, which invokes php_output_discard_all(). https://github.com/php/php-src/blob/6b809c8890f983c587f62b8bbf6b7470341f05b3/main/main.c#L1335-L1337
• As part of discarding output buffers, we invoke them. $b triggers another error, again invoking php_output_discard_all().
• This time, the output handler is locked. When this happens, php_output_deactivate() is called, and then we error again, which includes zend_bailout(). https://github.com/php/php-src/blob/6b809c8890f983c587f62b8bbf6b7470341f05b3/main/output.c#L762-L765
• On shutdown, the session handler invokes, which calls op_start(). However, OG(handlers) has already been destroyed, so we get a NULL pointer exception.

With all of that said, I don't know what the best approach is to fix this. Maybe we just don't trigger the handler when cleaning the output? I really don't know much about output buffering.