Merge branch 'PHP-8.5'

ndossche · ndossche · commit b6f786a7ca31 · 2025-12-18T22:40:19.000+01:00
* PHP-8.5: Fix GH-20722: Null pointer dereference in DOM namespace node cloning via clone on malformed objects
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
@@ -714,15 +714,17 @@ static zend_object *dom_object_namespace_node_clone_obj(zend_object *zobject)
 	zend_object *clone = dom_objects_namespace_node_new(intern->dom.std.ce);
 	dom_object_namespace_node *clone_intern = php_dom_namespace_node_obj_from_obj(clone);
 
-	xmlNodePtr original_node = dom_object_get_node(&intern->dom);
-	ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
-	xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
-
 	if (intern->parent_intern) {
 		clone_intern->parent_intern = intern->parent_intern;
 		GC_ADDREF(&clone_intern->parent_intern->std);
 	}
-	dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
+
+	xmlNodePtr original_node = dom_object_get_node(&intern->dom);
+	if (original_node != NULL) {
+		ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
+		xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
+		dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
+	}
 
 	zend_objects_clone_members(clone, &intern->dom.std);
 	return clone;
diff --git a/ext/dom/tests/gh20722.phpt b/ext/dom/tests/gh20722.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-20722 (Null pointer dereference in DOM namespace node cloning via clone on malformed objects)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+clone new DOMNameSpaceNode();
+echo "Done";
+
+?>
+--EXPECT--
+Done
