Fix GH-16777: Calling the constructor again on a DOM object after it …

…is in a document causes UAF Closes GH-16824.
php · Nov 16, 2024 · 18b18f0 · 18b18f0
1 parent 2ba1859
commit 18b18f0
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
 - Curl:
   . Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
 
+- DOM:
+  . Fixed bug GH-16777 (Calling the constructor again on a DOM object after it
+    is in a document causes UAF). (nielsdos)
+
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
 

diff --git a/ext/dom/node.c b/ext/dom/node.c
@@ -1024,6 +1024,7 @@ PHP_METHOD(DOMNode, insertBefore)
 	}
 
 	if (child->doc == NULL && parentp->doc != NULL) {
+		xmlSetTreeDoc(child, parentp->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}
 
@@ -1188,6 +1189,7 @@ PHP_METHOD(DOMNode, replaceChild)
 	}
 
 	if (newchild->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(newchild, nodep->doc);
 		dom_set_document_ref_pointers(newchild, intern->document);
 	}
 
@@ -1291,6 +1293,7 @@ PHP_METHOD(DOMNode, appendChild)
 	}
 
 	if (child->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(child, nodep->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}
 

diff --git a/ext/dom/tests/gh16777_1.phpt b/ext/dom/tests/gh16777_1.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$text = new DOMText('my value');
+$doc = new DOMDocument();
+$doc->appendChild($text);
+$text->__construct('my new value');
+$doc->appendChild($text);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($text);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+<?xml version="1.0"?>
+my value
+my new value
+Wrong Document Error
diff --git a/ext/dom/tests/gh16777_2.phpt b/ext/dom/tests/gh16777_2.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$el = new DOMElement('name');
+$el->append($child = new DOMElement('child'));
+$doc = new DOMDocument();
+$doc->appendChild($el);
+$el->__construct('newname');
+$doc->appendChild($el);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($el);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($child->ownerDocument === $doc);
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<name><child/></name>
+<newname/>
+Wrong Document Error
+bool(true)