Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0:
  Fix #79451: DOMDocument->replaceChild on doctype causes double free

Author: cmb69

NEWS

@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
     (Tim Starling)
 
+- DOM:
+  . Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
+    (Nathan Freeman)
+
 - Streams:
   . Fixed bug GH-9316 ($http_response_header is wrong for long status line).
     (cmb, timwolla)

ext/dom/node.c

@@ -1003,6 +1003,7 @@ PHP_METHOD(DOMNode, replaceChild)
 	xmlNodePtr newchild, oldchild, nodep;
 	dom_object *intern, *newchildobj, *oldchildobj;
 	int stricterror;
+	bool replacedoctype = false;
 
 	int ret;
 
@@ -1059,13 +1060,20 @@ PHP_METHOD(DOMNode, replaceChild)
 			dom_reconcile_ns(nodep->doc, newchild);
 		}
 	} else if (oldchild != newchild) {
+		xmlDtdPtr intSubset = xmlGetIntSubset(nodep->doc);
+		replacedoctype = (intSubset == (xmlDtd *) oldchild);
+
 		if (newchild->doc == NULL && nodep->doc != NULL) {
 			xmlSetTreeDoc(newchild, nodep->doc);
 			newchildobj->document = intern->document;
 			php_libxml_increment_doc_ref((php_libxml_node_object *)newchildobj, NULL);
 		}
 		xmlReplaceNode(oldchild, newchild);
 		dom_reconcile_ns(nodep->doc, newchild);
+
+		if (replacedoctype) {
+			nodep->doc->intSubset = (xmlDtd *) newchild;
+		}
 	}
 	DOM_RET_OBJ(oldchild, &ret, intern);
 }

ext/dom/tests/bug79451.phpt

@@ -1,7 +1,7 @@
 --TEST--
 Bug #79451 (Using DOMDocument->replaceChild on doctype causes double free)
---SKIPIF--
-<?php require_once('skipif.inc'); ?>
+--EXTENSIONS--
+dom
 --FILE--
 <?php
 $dom = new \DOMDocument();