Merge branch 'PHP-8.2' into PHP-8.3

nielsdos · nielsdos · commit 5a09e0105e06 · 2024-10-21T20:57:22.000+02:00
* PHP-8.2: Fix GH-16535: UAF when using document as a child Fix GH-16533: Segfault when adding attribute to parent that is not an element
diff --git a/NEWS b/NEWS
@@ -32,6 +32,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-16336 (Attribute intern document mismanagement). (nielsdos)
   . Fixed bug GH-16338 (Null-dereference in ext/dom/node.c). (nielsdos)
   . Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos)
+  . Fixed bug GH-16533 (Segfault when adding attribute to parent that is not
+    an element). (nielsdos)
+  . Fixed bug GH-16535 (UAF when using document as a child). (nielsdos)
 
 - EXIF:
   . Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a
diff --git a/ext/dom/node.c b/ext/dom/node.c
@@ -969,6 +969,17 @@ static bool dom_node_check_legacy_insertion_validity(xmlNodePtr parentp, xmlNode
 		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
 		return false;
 	}
+	/* Attributes must be in elements. */
+	if (child->type == XML_ATTRIBUTE_NODE && parentp->type != XML_ELEMENT_NODE) {
+		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
+		return false;
+	}
+
+	/* Documents can never be a child. */
+	if (child->type == XML_DOCUMENT_NODE || child->type == XML_HTML_DOCUMENT_NODE) {
+		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
+		return false;
+	}
 
 	return true;
 }
diff --git a/ext/dom/tests/gh16533.phpt b/ext/dom/tests/gh16533.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16533 (Segfault when adding attribute to parent that is not an element)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$doc = new DOMDocument();
+try {
+    $doc->appendChild($doc->createAttribute('foo'));
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+echo $doc->saveXML();
+
+?>
+--EXPECT--
+Hierarchy Request Error
+<?xml version="1.0"?>
diff --git a/ext/dom/tests/gh16535.phpt b/ext/dom/tests/gh16535.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-16535 (UAF when using document as a child)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$v2 = new DOMDocument("t");
+
+$v2->loadHTML("t");
+$v4 = $v2->createElement('foo');
+try {
+    $v4->appendChild($v2);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+$v2->loadHTML("oU");
+echo $v2->saveXML();
+
+?>
+--EXPECT--
+Hierarchy Request Error
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html><body><p>oU</p></body></html>
