Skip to content

Commit bf63341

Browse files
ndosschendossche
committed
Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3: Fix GH-20722: Null pointer dereference in DOM namespace node cloning via clone on malformed objects
2 parents eb1c017 + 983be08 commit bf63341

File tree

3 files changed

+24
-5
lines changed

3 files changed

+24
-5
lines changed

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,10 @@ PHP NEWS
1313
. Fixed bug GH-20620 (bzcompress overflow on large source size).
1414
(David Carlier)
1515

16+
- DOM:
17+
. Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning
18+
via clone on malformed objects). (ndossche)
19+
1620
- GD:
1721
. Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
1822

ext/dom/php_dom.c

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -697,15 +697,17 @@ static zend_object *dom_object_namespace_node_clone_obj(zend_object *zobject)
697697
zend_object *clone = dom_objects_namespace_node_new(intern->dom.std.ce);
698698
dom_object_namespace_node *clone_intern = php_dom_namespace_node_obj_from_obj(clone);
699699

700-
xmlNodePtr original_node = dom_object_get_node(&intern->dom);
701-
ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
702-
xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
703-
704700
if (intern->parent_intern) {
705701
clone_intern->parent_intern = intern->parent_intern;
706702
GC_ADDREF(&clone_intern->parent_intern->std);
707703
}
708-
dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
704+
705+
xmlNodePtr original_node = dom_object_get_node(&intern->dom);
706+
if (original_node != NULL) {
707+
ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
708+
xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
709+
dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
710+
}
709711

710712
zend_objects_clone_members(clone, &intern->dom.std);
711713
return clone;

ext/dom/tests/gh20722.phpt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
--TEST--
2+
GH-20722 (Null pointer dereference in DOM namespace node cloning via clone on malformed objects)
3+
--EXTENSIONS--
4+
dom
5+
--FILE--
6+
<?php
7+
8+
clone new DOMNameSpaceNode();
9+
echo "Done";
10+
11+
?>
12+
--EXPECT--
13+
Done

0 commit comments

Comments
 (0)