Merge branch 'PHP-8.1'

Author: Girgias

NEWS

@@ -2,6 +2,17 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.2.0RC1
 
+- Core:
+  . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
+    (Tim Starling)
+
+- DOM:
+  . Fixed bug  #79451 (Using DOMDocument->replaceChild on doctype causes
+     double free) (NathanFreeman)
+
+- Streams:
+  . Fixed bug GH-9316 ($http_response_header is wrong for long status line).
+    (cmb, timwolla)
 
 18 Aug 2022, PHP 8.2.0beta3
 

Zend/zend_vm_def.h

@@ -4320,6 +4320,7 @@ ZEND_VM_INLINE_HANDLER(62, ZEND_RETURN, CONST|TMP|VAR|CV, ANY, SPEC(OBSERVER))
 							zend_refcounted *ref = Z_COUNTED_P(retval_ptr);
 							ZVAL_COPY_VALUE(return_value, retval_ptr);
 							if (GC_MAY_LEAK(ref)) {
+								SAVE_OPLINE();
 								gc_possible_root(ref);
 							}
 							ZVAL_NULL(retval_ptr);
@@ -8425,8 +8426,8 @@ ZEND_VM_C_LABEL(check_indirect):
 		zend_refcounted *garbage = Z_COUNTED_P(variable_ptr);
 
 		ZVAL_REF(variable_ptr, ref);
+		SAVE_OPLINE();
 		if (GC_DELREF(garbage) == 0) {
-			SAVE_OPLINE();
 			rc_dtor_func(garbage);
 			if (UNEXPECTED(EG(exception))) {
 				ZVAL_NULL(variable_ptr);

Zend/zend_vm_execute.h

@@ -20,6 +20,7 @@
 #endif
 
 #include "php.h"
+
 #if defined(HAVE_LIBXML) && defined(HAVE_DOM)
 #include "php_dom.h"
 
@@ -1003,6 +1004,7 @@ PHP_METHOD(DOMNode, replaceChild)
 	xmlNodePtr newchild, oldchild, nodep;
 	dom_object *intern, *newchildobj, *oldchildobj;
 	int stricterror;
+	bool replacedoctype = false;
 
 	int ret;
 
@@ -1042,7 +1044,51 @@ PHP_METHOD(DOMNode, replaceChild)
 		RETURN_FALSE;
 	}
 
+<<<<<<< HEAD
 	if (oldchild->parent != nodep) {
+=======
+	/* check for the old child and whether the new child is already a child */
+	while (children) {
+		if (children == oldchild) {
+			foundoldchild = 1;
+			break;
+		}
+		children = children->next;
+	}
+
+	if (foundoldchild) {
+		if (newchild->type == XML_DOCUMENT_FRAG_NODE) {
+			xmlNodePtr prevsib, nextsib;
+			prevsib = oldchild->prev;
+			nextsib = oldchild->next;
+
+			xmlUnlinkNode(oldchild);
+
+			newchild = _php_dom_insert_fragment(nodep, prevsib, nextsib, newchild, intern, newchildobj);
+			if (newchild) {
+				dom_reconcile_ns(nodep->doc, newchild);
+			}
+		} else if (oldchild != newchild) {
+			xmlDtdPtr intSubset = xmlGetIntSubset(nodep->doc);
+			replacedoctype = (intSubset == (xmlDtd *) oldchild);
+
+			if (newchild->doc == NULL && nodep->doc != NULL) {
+				xmlSetTreeDoc(newchild, nodep->doc);
+				newchildobj->document = intern->document;
+				php_libxml_increment_doc_ref((php_libxml_node_object *)newchildobj, NULL);
+			}
+
+			xmlReplaceNode(oldchild, newchild);
+			dom_reconcile_ns(nodep->doc, newchild);
+
+			if (replacedoctype) {
+				nodep->doc->intSubset = (xmlDtd *) newchild;
+			}
+		}
+		DOM_RET_OBJ(oldchild, &ret, intern);
+		return;
+	} else {
+>>>>>>> PHP-8.0
 		php_dom_throw_error(NOT_FOUND_ERR, stricterror);
 		RETURN_FALSE;
 	}

ext/dom/node.c

@@ -0,0 +1,20 @@
+--TEST--
+Bug #79451 (Using DOMDocument->replaceChild on doctype causes double free)
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$dom = new \DOMDocument();
+$dom->loadHTML("<!DOCTYPE html><p>hello</p>");
+$impl = new \DOMImplementation();
+$dt = $impl->createDocumentType("html_replace", "", "");
+$dom->replaceChild($dt, $dom->doctype);
+
+var_dump($dom->doctype->name);
+echo $dom->saveXML();
+?>
+--EXPECTF--
+string(12) "html_replace"
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE html_replace>
+<html><body><p>hello</p></body></html>