Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit 7c6c8e110e16 · 2024-10-21T20:57:53.000+02:00
* PHP-8.4: Fix GH-16535: UAF when using document as a child Fix GH-16533: Segfault when adding attribute to parent that is not an element
diff --git a/ext/dom/node.c b/ext/dom/node.c
@@ -864,6 +864,17 @@ static bool dom_node_check_legacy_insertion_validity(xmlNodePtr parentp, xmlNode
 		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
 		return false;
 	}
+	/* Attributes must be in elements. */
+	if (child->type == XML_ATTRIBUTE_NODE && parentp->type != XML_ELEMENT_NODE) {
+		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
+		return false;
+	}
+
+	/* Documents can never be a child. */
+	if (child->type == XML_DOCUMENT_NODE || child->type == XML_HTML_DOCUMENT_NODE) {
+		php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
+		return false;
+	}
 
 	return true;
 }
diff --git a/ext/dom/tests/gh16533.phpt b/ext/dom/tests/gh16533.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16533 (Segfault when adding attribute to parent that is not an element)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$doc = new DOMDocument();
+try {
+    $doc->appendChild($doc->createAttribute('foo'));
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+echo $doc->saveXML();
+
+?>
+--EXPECT--
+Hierarchy Request Error
+<?xml version="1.0"?>
diff --git a/ext/dom/tests/gh16535.phpt b/ext/dom/tests/gh16535.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-16535 (UAF when using document as a child)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+$v2 = new DOMDocument("t");
+
+$v2->loadHTML("t");
+$v4 = $v2->createElement('foo');
+try {
+    $v4->appendChild($v2);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+$v2->loadHTML("oU");
+echo $v2->saveXML();
+
+?>
+--EXPECT--
+Hierarchy Request Error
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html><body><p>oU</p></body></html>
