From 859aafc29e2903274fb300601afda983d5ba76bf Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 1 Oct 2024 19:55:23 +0200
Subject: [PATCH] Fix GH-16149: Null pointer dereference in
 DOMElement->getAttributeNames()

A namespace without a prefix is by definition always the "xmlns"
namespace.
---
 ext/dom/element.c          |  6 +++++-
 ext/dom/tests/gh16149.phpt | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 ext/dom/tests/gh16149.phpt

diff --git a/ext/dom/element.c b/ext/dom/element.c
index 46f1100a767d..0b4117fb08ea 100644
--- a/ext/dom/element.c
+++ b/ext/dom/element.c
@@ -339,7 +339,11 @@ PHP_METHOD(DOMElement, getAttributeNames)
 
 	for (xmlNsPtr nsptr = nodep->nsDef; nsptr; nsptr = nsptr->next) {
 		const char *prefix = (const char *) nsptr->prefix;
-		ZVAL_STR(&tmp, dom_node_concatenated_name_helper(strlen(prefix), prefix, strlen("xmlns"), (const char *) "xmlns"));
+		if (prefix == NULL) {
+			ZVAL_STRING(&tmp, "xmlns");
+		} else {
+			ZVAL_STR(&tmp, dom_node_concatenated_name_helper(strlen(prefix), prefix, strlen("xmlns"), (const char *) "xmlns"));
+		}
 		zend_hash_next_index_insert(ht, &tmp);
 	}
 
diff --git a/ext/dom/tests/gh16149.phpt b/ext/dom/tests/gh16149.phpt
new file mode 100644
index 000000000000..c6e1140e75ff
--- /dev/null
+++ b/ext/dom/tests/gh16149.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-16149 (Null pointer dereference in DOMElement->getAttributeNames())
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$element = new DOMElement("b", null, "a");
+var_dump($element->getAttributeNames());
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(5) "xmlns"
+}