Fix bug #66502: DOM document dangling reference

When we decrement the refcount of a node's document, we state that we won't need it anymore. Therefore we can *always* set the pointer to the document to NULL, what avoids invalid memory accesses for some edge cases as demonstrated with the PHPT. Original patch provided by Sean Heelan.
strk · Jul 14, 2016 · a4aa4f9 · a4aa4f9
1 parent 1c84b55
commit a4aa4f9
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -16,6 +16,9 @@ PHP                                                                        NEWS
   . Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails
     parsing). (derick)
 
+- DOM:
+  . Fixed bug #66502 (DOM document dangling reference). (Sean Heelan, cmb)
+
 - Filter:
   . Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8
     range). (bugs dot php dot net at majkl578 dot cz)

diff --git a/ext/dom/tests/bug66502.phpt b/ext/dom/tests/bug66502.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #66502 (DOM document dangling reference)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip requires ext/dom');
+?>
+--FILE--
+<?php
+$dom = new DOMDocument('1.0', 'UTF-8');
+$element = $dom->appendChild(new DOMElement('root'));
+$comment = new DOMComment("Comment 0");
+$comment = $element->appendChild($comment);
+
+$comment->__construct("Comment 1");
+$comment->__construct("Comment 2");
+$comment->__construct("Comment 3");
+echo 'DONE', PHP_EOL;
+?>
+--EXPECT--
+DONE
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
@@ -1272,8 +1272,8 @@ PHP_LIBXML_API int php_libxml_decrement_doc_ref(php_libxml_node_object *object T
 				efree(object->document->doc_props);
 			}
 			efree(object->document);
-			object->document = NULL;
 		}
+		object->document = NULL;
 	}
 
 	return ret_refcount;