Commit 983be089c0c for php.net
commit 983be089c0c800dfae9a3b9bdb974e35aceeeabd
Author: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Thu Dec 18 20:37:04 2025 +0100
Fix GH-20722: Null pointer dereference in DOM namespace node cloning via clone on malformed objects
Closes GH-20730.
diff --git a/NEWS b/NEWS
index 11ae976b323..d7fd92cf997 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ PHP NEWS
. Fixed bug GH-20620 (bzcompress overflow on large source size).
(David Carlier)
+- DOM:
+ . Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning
+ via clone on malformed objects). (ndossche)
+
- GD:
. Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index d097081b0bd..a1eb8fb8d78 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -541,15 +541,17 @@ static zend_object *dom_object_namespace_node_clone_obj(zend_object *zobject)
zend_object *clone = dom_objects_namespace_node_new(intern->dom.std.ce);
dom_object_namespace_node *clone_intern = php_dom_namespace_node_obj_from_obj(clone);
- xmlNodePtr original_node = dom_object_get_node(&intern->dom);
- ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
- xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
-
if (intern->parent_intern) {
clone_intern->parent_intern = intern->parent_intern;
GC_ADDREF(&clone_intern->parent_intern->std);
}
- dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
+
+ xmlNodePtr original_node = dom_object_get_node(&intern->dom);
+ if (original_node != NULL) {
+ ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
+ xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
+ dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
+ }
zend_objects_clone_members(clone, &intern->dom.std);
return clone;
diff --git a/ext/dom/tests/gh20722.phpt b/ext/dom/tests/gh20722.phpt
new file mode 100644
index 00000000000..38d3314618f
--- /dev/null
+++ b/ext/dom/tests/gh20722.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-20722 (Null pointer dereference in DOM namespace node cloning via clone on malformed objects)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+clone new DOMNameSpaceNode();
+echo "Done";
+
+?>
+--EXPECT--
+Done