From 9d39ff764ed6b2f81f997b6bc0b8bc7122589ce5 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 23 Nov 2024 15:58:48 +0100
Subject: [PATCH 1/4] Fix GH-16906: Reloading document can cause UAF in
 iterator

Closes GH-16909.
---
 NEWS                       |  2 ++
 ext/dom/php_dom.c          |  6 ++++++
 ext/dom/php_dom.h          |  1 +
 ext/dom/tests/gh16906.phpt | 17 +++++++++++++++++
 4 files changed, 26 insertions(+)
 create mode 100644 ext/dom/tests/gh16906.phpt

diff --git a/NEWS b/NEWS
index e6f1e5a9339e3..30d156a354017 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ PHP                                                                        NEWS
 - DOM:
   . Fixed bug GH-16777 (Calling the constructor again on a DOM object after it
     is in a document causes UAF). (nielsdos)
+  . Fixed bug GH-16906 (Reloading document can cause UAF in iterator).
+    (nielsdos)
 
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index 5c7aacefba5d0..7ec107dd712e3 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -1018,6 +1018,10 @@ void dom_namednode_iter(dom_object *basenode, int ntype, dom_object *intern, xml
 	mapptr->baseobj = basenode;
 	mapptr->nodetype = ntype;
 	mapptr->ht = ht;
+	if (EXPECTED(doc != NULL)) {
+		mapptr->dict = doc->dict;
+		xmlDictReference(doc->dict);
+	}
 
 	const xmlChar* tmp;
 
@@ -1128,6 +1132,7 @@ void dom_nnodemap_objects_free_storage(zend_object *object) /* {{{ */
 		if (!Z_ISUNDEF(objmap->baseobj_zv)) {
 			zval_ptr_dtor(&objmap->baseobj_zv);
 		}
+		xmlDictFree(objmap->dict);
 		efree(objmap);
 		intern->ptr = NULL;
 	}
@@ -1158,6 +1163,7 @@ zend_object *dom_nnodemap_objects_new(zend_class_entry *class_type)
 	objmap->cached_length = -1;
 	objmap->cached_obj = NULL;
 	objmap->cached_obj_index = 0;
+	objmap->dict = NULL;
 
 	return &intern->std;
 }
diff --git a/ext/dom/php_dom.h b/ext/dom/php_dom.h
index fe0c5471c6ca4..2bccb2d5692d5 100644
--- a/ext/dom/php_dom.h
+++ b/ext/dom/php_dom.h
@@ -89,6 +89,7 @@ typedef struct _dom_nnodemap_object {
 	php_libxml_cache_tag cache_tag;
 	dom_object *cached_obj;
 	zend_long cached_obj_index;
+	xmlDictPtr dict;
 	bool free_local : 1;
 	bool free_ns : 1;
 } dom_nnodemap_object;
diff --git a/ext/dom/tests/gh16906.phpt b/ext/dom/tests/gh16906.phpt
new file mode 100644
index 0000000000000..791ca13b390e0
--- /dev/null
+++ b/ext/dom/tests/gh16906.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-16906 (Reloading document can cause UAF in iterator)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');
+$list = $doc->getElementsByTagName('strong');
+$doc->load(__DIR__."/book.xml");
+var_dump($list);
+?>
+--EXPECT--
+object(DOMNodeList)#2 (1) {
+  ["length"]=>
+  int(0)
+}

From 866d8d7ce68ea4434f3393ca390926f68243c098 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 24 Nov 2024 18:45:22 +0000
Subject: [PATCH 2/4] Update code owners for mysqli, mysqlnd and pdo_mysql [ci
 skip] (#16921)

---
 .github/CODEOWNERS | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 0c064cf935047..ba67073c6afb3 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -30,7 +30,8 @@
 /ext/json @bukka
 /ext/libxml @nielsdos
 /ext/mbstring @alexdowad @youkidearitai
-/ext/mysqlnd @SakiTakamachi
+/ext/mysqli @bukka @kamil-tekiela
+/ext/mysqlnd @bukka @kamil-tekiela @SakiTakamachi
 /ext/odbc @NattyNarwhal
 /ext/opcache @dstogov
 /ext/openssl @bukka
@@ -38,7 +39,7 @@
 /ext/pdo @SakiTakamachi
 /ext/pdo_dblib @SakiTakamachi
 /ext/pdo_firebird @SakiTakamachi
-/ext/pdo_mysql @SakiTakamachi
+/ext/pdo_mysql @kamil-tekiela @SakiTakamachi
 /ext/pdo_odbc @NattyNarwhal @SakiTakamachi
 /ext/pdo_pgsql @devnexen @SakiTakamachi
 /ext/pdo_sqlite @SakiTakamachi

From 51f5539914ae62ef8568ea1ed302dceda897c439 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 24 Nov 2024 20:13:47 +0100
Subject: [PATCH 3/4] Change port for mysqli fake server auth message test

---
 ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt b/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt
index db54a6c0177a1..279aec6a2cba1 100644
--- a/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt
+++ b/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt
@@ -6,7 +6,7 @@ mysqli
 <?php
 require_once 'fake_server.inc';
 
-$port = 50001;
+$port = 33305;
 $servername = "127.0.0.1";
 $username = "root";
 $password = "";
@@ -34,5 +34,5 @@ print "done!";
 [*] Sending - Malicious OK Auth Response [Extract heap through buffer over-read]: 0900000200000002000000fcff
 
 Warning: mysqli::__construct(): OK packet message length is past the packet size in %s on line %d
-Unknown error while trying to connect via tcp://127.0.0.1:50001
+Unknown error while trying to connect via tcp://127.0.0.1:33305
 done!

From eb951b3d11109aa16982a2132f8d1fd5129edc9e Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 24 Nov 2024 23:48:27 +0100
Subject: [PATCH 4/4] Increase MySQLi fake server read timeout for ASAN job

---
 ext/mysqli/tests/fake_server.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/mysqli/tests/fake_server.inc b/ext/mysqli/tests/fake_server.inc
index b02fabc584c5d..1127f6c00e3f9 100644
--- a/ext/mysqli/tests/fake_server.inc
+++ b/ext/mysqli/tests/fake_server.inc
@@ -552,8 +552,8 @@ class my_mysqli_fake_server_conn
 
     public function read($bytes_len = 1024)
     {
-        // wait 10ms to fill the buffer
-        usleep(10000);
+        // wait 20ms to fill the buffer
+        usleep(20000);
         $data = fread($this->conn, $bytes_len);
         if ($data) {
             fprintf(STDERR, "[*] Received: %s\n", bin2hex($data));