From c434e046bcf935b997d5bd156a64e1bed8b880b3 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sun, 11 Jan 2026 20:38:03 +0100
Subject: [PATCH 1/2] Remove LIBXML_XINCLUDE option from valid list of
 XMLDocument (#20907)

This option is only valid for pull parsers.
---
 NEWS                                                    | 4 ++++
 ext/dom/tests/modern/xml/XMLDocument_fromString_03.phpt | 3 +--
 ext/dom/xml_document.c                                  | 2 --
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 0899163d87b75..b3df4f43c4603 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
     needing to be present beforehand. (ndossche)
   . Added `clamp()`. (kylekatarnls, thinkverse)
 
+- DOM:
+  . Removed LIBXML_XINCLUDE from valid options for XMLDocument,
+    as it was a no-op. (ndossche)
+
 - Fileinfo:
   . Fixed bug GH-20679 (finfo_file() doesn't work on remote resources).
     (ndossche)
diff --git a/ext/dom/tests/modern/xml/XMLDocument_fromString_03.phpt b/ext/dom/tests/modern/xml/XMLDocument_fromString_03.phpt
index 13359f4b28585..16db09547bff7 100644
--- a/ext/dom/tests/modern/xml/XMLDocument_fromString_03.phpt
+++ b/ext/dom/tests/modern/xml/XMLDocument_fromString_03.phpt
@@ -6,7 +6,7 @@ dom
 <?php
 
 $flags = [
-    LIBXML_RECOVER, LIBXML_NOENT, LIBXML_DTDLOAD, LIBXML_DTDATTR, LIBXML_DTDVALID, LIBXML_NOERROR, LIBXML_NOWARNING, LIBXML_NOBLANKS, LIBXML_XINCLUDE, LIBXML_NSCLEAN, LIBXML_NOCDATA, LIBXML_NONET, LIBXML_PEDANTIC, LIBXML_COMPACT, LIBXML_PARSEHUGE, LIBXML_BIGLINES
+    LIBXML_RECOVER, LIBXML_NOENT, LIBXML_DTDLOAD, LIBXML_DTDATTR, LIBXML_DTDVALID, LIBXML_NOERROR, LIBXML_NOWARNING, LIBXML_NOBLANKS, LIBXML_NSCLEAN, LIBXML_NOCDATA, LIBXML_NONET, LIBXML_PEDANTIC, LIBXML_COMPACT, LIBXML_PARSEHUGE, LIBXML_BIGLINES
 ];
 
 try {
@@ -37,4 +37,3 @@ bool(true)
 bool(true)
 bool(true)
 bool(true)
-bool(true)
diff --git a/ext/dom/xml_document.c b/ext/dom/xml_document.c
index 4d941de0f0686..66fd1d707aa08 100644
--- a/ext/dom/xml_document.c
+++ b/ext/dom/xml_document.c
@@ -39,7 +39,6 @@ static bool check_options_validity(uint32_t arg_num, zend_long options)
 								  | XML_PARSE_NOERROR
 								  | XML_PARSE_NOWARNING
 								  | XML_PARSE_NOBLANKS
-								  | XML_PARSE_XINCLUDE
 								  | XML_PARSE_NSCLEAN
 								  | XML_PARSE_NOCDATA
 								  | XML_PARSE_NONET
@@ -60,7 +59,6 @@ static bool check_options_validity(uint32_t arg_num, zend_long options)
 										   "LIBXML_NOERROR, "
 										   "LIBXML_NOWARNING, "
 										   "LIBXML_NOBLANKS, "
-										   "LIBXML_XINCLUDE, "
 										   "LIBXML_NSCLEAN, "
 										   "LIBXML_NOCDATA, "
 										   "LIBXML_NONET, "

From 2a2e0e81285e46dcbd9e08699553fe49a409d16d Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Fri, 9 Jan 2026 17:14:11 +0100
Subject: [PATCH 2/2] Fix GH-20856: heap-use-after-free in SplDoublyLinkedList
 iterator when modifying during iteration

The element may be still in use in other places, so the linking pointers
should be kept consistent. If not consistent, the "move forward" code in
the sample test will read a stale, dangling pointer.

Closes GH-20885.
---
 NEWS                       |  4 ++++
 ext/spl/spl_dllist.c       |  7 +++++--
 ext/spl/tests/gh20856.phpt | 26 ++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/gh20856.phpt

diff --git a/NEWS b/NEWS
index ab7bea69fb6d1..21f69b8895c3a 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-18139 (Memory leak when overriding some settings
     via readline_info()). (ndossche)
 
+- SPL:
+  . Fixed bug GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator
+    when modifying during iteration). (ndossche)
+
 - Standard:
   . Fixed bug #74357 (lchown fails to change ownership of symlink with ZTS)
     (Jakub Zelenka)
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 5a78db2921a81..2ac7980a86cb6 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -764,11 +764,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetUnset)
 	element = spl_ptr_llist_offset(intern->llist, index, intern->flags & SPL_DLLIST_IT_LIFO);
 
 	if (element != NULL) {
-		/* connect the neightbors */
+		/* disconnect the neighbours */
 		if (element->prev) {
 			element->prev->next = element->next;
 		}
-
 		if (element->next) {
 			element->next->prev = element->prev;
 		}
@@ -782,6 +781,10 @@ PHP_METHOD(SplDoublyLinkedList, offsetUnset)
 			llist->tail = element->prev;
 		}
 
+		/* Keep consistency if element is kept alive. */
+		element->prev = NULL;
+		element->next = NULL;
+
 		/* finally, delete the element */
 		llist->count--;
 
diff --git a/ext/spl/tests/gh20856.phpt b/ext/spl/tests/gh20856.phpt
new file mode 100644
index 0000000000000..8bc1b3c95827c
--- /dev/null
+++ b/ext/spl/tests/gh20856.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration)
+--CREDITS--
+vi3tL0u1s
+iluuu1994
+--FILE--
+<?php
+$m = new SplStack;
+$m[] = new stdClass;
+$m[] = new stdClass;
+
+foreach ($m as $l) {
+    unset($m[0]);
+    unset($m[0]);
+}
+
+var_dump($m);
+?>
+--EXPECTF--
+object(SplStack)#%d (%d) {
+  ["flags":"SplDoublyLinkedList":private]=>
+  int(6)
+  ["dllist":"SplDoublyLinkedList":private]=>
+  array(0) {
+  }
+}