Fix GH-16535: UAF when using document as a child

Documents can never be children of any node.

Closes GH-16539.

Author: nielsdos

NEWS

@@ -32,6 +32,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos)
   . Fixed bug GH-16533 (Segfault when adding attribute to parent that is not
     an element). (nielsdos)
+  . Fixed bug GH-16535 (UAF when using document as a child). (nielsdos)
 
 - EXIF:
   . Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a

ext/dom/node.c

@@ -878,6 +878,12 @@ static bool dom_node_check_legacy_insertion_validity(xmlNodePtr parentp, xmlNode
 		return false;
 	}
 
+	/* Documents can never be a child. */
+	if (child->type == XML_DOCUMENT_NODE || child->type == XML_HTML_DOCUMENT_NODE) {
+		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
+		return false;
+	}
+
 	return true;
 }
 

ext/dom/tests/gh16535.phpt

@@ -0,0 +1,25 @@
+--TEST--
+GH-16535 (UAF when using document as a child)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$v2 = new DOMDocument("t");
+
+$v2->loadHTML("t");
+$v4 = $v2->createElement('foo');
+try {
+    $v4->appendChild($v2);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+$v2->loadHTML("oU");
+echo $v2->saveXML();
+
+?>
+--EXPECT--
+Hierarchy Request Error
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html><body><p>oU</p></body></html>