UAF in php_output_handler_free via re-entrant ob_start() during error deactivation #20352
Description
Description
The following code:
<?php
class a {
function __destruct() {
['']?->a[''];
ob_start(function () use (&$c) {
return 'x';
}, 1);
$c = new A;
unset($c);
$c = new A;
$array = array($c);
unset($c);
ob_start(function () use (&$c) {
$c = new A;
return 'x';
}, 1);
}
}
new a;Resulted in this output:
==2393315==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000094c0 at pc 0x5621f400a57c bp 0x7ffc59878790 sp 0x7ffc59878788
Commit:
2d450695605
Configuration:
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic
PHP Version
PHP 8.6.0-dev (cli) (built: Nov 1 2025 16:03:38) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
Operating System
Ubuntu 22.04