Fix GH-15181: Disabled output handler is flushed again

When an `PHP_OUTPUT_HANDLER_FAILURE` occurs, the output handler becomes
disabled (i.e. the `PHP_OUTPUT_HANDLER_DISABLED` flag is set).  However,
there is no guard for disabled handlers in `php_output_handler_op()`
what may cause serious issues (as reported, UB due to passing `NULL` as
the 2nd argument of `memcpy`, because the handler's buffer has already
been `NULL`ed).  Therefore, we add a respective guard for disabled
handlers, and return `PHP_OUTPUT_HANDLER_FAILURE` right away.

Closes GH-15183.

Author: cmb69

NEWS

@@ -8,6 +8,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-15240 (Infinite recursion in trait hook). (ilutov)
   . Fixed bug GH-15140 (Missing variance check for abstract set with asymmetric
     type). (ilutov)
+  . Fixed bug GH-15181 (Disabled output handler is flushed again). (cmb)
 
 - Date:
   . Constants SUNFUNCS_RET_TIMESTAMP, SUNFUNCS_RET_STRING, and SUNFUNCS_RET_DOUBLE

main/output.c

@@ -925,6 +925,10 @@ static inline php_output_handler_status_t php_output_handler_op(php_output_handl
 	);
 #endif
 
+	if (handler->flags & PHP_OUTPUT_HANDLER_DISABLED) {
+		return PHP_OUTPUT_HANDLER_FAILURE;
+	}
+
 	if (php_output_lock_error(context->op)) {
 		/* fatal error */
 		return PHP_OUTPUT_HANDLER_FAILURE;

tests/output/gh15181.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Fix GH-15181 (Disabled output handler is flushed again)
+--FILE--
+<?php
+ob_start(function () {
+    throw new Exception('ob_start');
+});
+try {
+    ob_flush();
+} catch (Throwable) {}
+ob_flush();
+?>
+===DONE===
+--EXPECT--
+===DONE===