I've checked the sources and if you changed the implementation of ob_flush everything works:

use this:
php_end_ob_buffer(1, 0 TSRMLS_CC);
instead of:
php_end_ob_buffer(1, 1 TSRMLS_CC);

So, the error is in just_flush in php_end_ob_buffer().

I think i've tracked this one down to the URL parser, it happens when the argument do_flush is set to false for url_adapt_ext (url_scanner_ex.c line 837) this is because it only expects to do the re-write at the final flush.

I modified what was passed in to accept the final flush or a flush halfway through the script execution.

Patch
---
diff -u url_scanner_ex.c url_scanner_ex.c.patched
--- url_scanner_ex.c    2004-02-10 01:29:05.000000000 +0000
+++ url_scanner_ex.c.patched    2004-02-10 01:30:51.000000000 +0000
@@ -918,7 +918,8 @@
        size_t len;
 
     if (BG(url_adapt_state_ex).url_app.len != 0) {
-        *handled_output = url_adapt_ext(output, output_len, &len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
+        *handled_output = url_adapt_ext(output, output_len, &len, (zend_bool) ((mode & PHP_OUTPUT_HANDLER_CONT) || (mode 
+& PHP_OUTPUT_HANDLER_END) ? 1 : 0) TSRMLS_CC);
                if (sizeof(uint) < sizeof(size_t)) {
                        if (len > UINT_MAX)
                                len = UINT_MAX;

this patch works for me

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.