From 555d2402dab434b20eead4b536f6761a062b5c19 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 25 Sep 2024 17:36:39 +0200
Subject: [PATCH] Fix GH-16039: Segmentation fault (access null pointer) in
ext/dom/parentnode/tree.c
dom_object_get_node() can fail if we don't have a user object
associated.
Closes GH-16056.
---
ext/dom/parentnode.c | 5 +++++
ext/dom/tests/gh16039.phpt | 31 +++++++++++++++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 ext/dom/tests/gh16039.phpt
diff --git a/ext/dom/parentnode.c b/ext/dom/parentnode.c
index c30db6fcd745f..ea4edb0774376 100644
--- a/ext/dom/parentnode.c
+++ b/ext/dom/parentnode.c
@@ -272,6 +272,11 @@ static zend_result dom_sanity_check_node_list_for_insertion(php_libxml_ref_obj *
if (instanceof_function(ce, dom_node_class_entry)) {
xmlNodePtr node = dom_object_get_node(Z_DOMOBJ_P(nodes + i));
+ if (!node) {
+ php_dom_throw_error(INVALID_STATE_ERR, /* strict */ true);
+ return FAILURE;
+ }
+
if (node->doc != documentNode) {
php_dom_throw_error(WRONG_DOCUMENT_ERR, dom_get_strict_error(document));
return FAILURE;
diff --git a/ext/dom/tests/gh16039.phpt b/ext/dom/tests/gh16039.phpt
new file mode 100644
index 0000000000000..48a862eda7b20
--- /dev/null
+++ b/ext/dom/tests/gh16039.phpt
@@ -0,0 +1,31 @@
+--TEST--
+GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c)
+--EXTENSIONS--
+dom
+--FILE--
+appendChild($dom->createElement('root'));
+try {
+ $element->prepend('x', new DOMEntity);
+} catch (DOMException $e) {
+ echo $e->getMessage(), "\n";
+}
+echo $dom->saveXML();
+$dom->strictErrorChecking = false; // Should not have influence
+try {
+ $element->prepend('x', new DOMEntity);
+} catch (DOMException $e) {
+ echo $e->getMessage(), "\n";
+}
+echo $dom->saveXML();
+
+?>
+--EXPECT--
+Invalid State Error
+
+
+Invalid State Error
+
+