Fix phpGH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF

nielsdos · nielsdos · commit 18b18f0ee026 · 2024-11-16T13:42:01.000+01:00
Closes phpGH-16824.
diff --git a/NEWS b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
 - Curl:
   . Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
 
+- DOM:
+  . Fixed bug GH-16777 (Calling the constructor again on a DOM object after it
+    is in a document causes UAF). (nielsdos)
+
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
 
diff --git a/ext/dom/node.c b/ext/dom/node.c
@@ -1024,6 +1024,7 @@ PHP_METHOD(DOMNode, insertBefore)
 	}
 
 	if (child->doc == NULL && parentp->doc != NULL) {
+		xmlSetTreeDoc(child, parentp->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}
 
@@ -1188,6 +1189,7 @@ PHP_METHOD(DOMNode, replaceChild)
 	}
 
 	if (newchild->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(newchild, nodep->doc);
 		dom_set_document_ref_pointers(newchild, intern->document);
 	}
 
@@ -1291,6 +1293,7 @@ PHP_METHOD(DOMNode, appendChild)
 	}
 
 	if (child->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(child, nodep->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}
 
diff --git a/ext/dom/tests/gh16777_1.phpt b/ext/dom/tests/gh16777_1.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$text = new DOMText('my value');
+$doc = new DOMDocument();
+$doc->appendChild($text);
+$text->__construct('my new value');
+$doc->appendChild($text);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($text);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+<?xml version="1.0"?>
+my value
+my new value
+Wrong Document Error
diff --git a/ext/dom/tests/gh16777_2.phpt b/ext/dom/tests/gh16777_2.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$el = new DOMElement('name');
+$el->append($child = new DOMElement('child'));
+$doc = new DOMDocument();
+$doc->appendChild($el);
+$el->__construct('newname');
+$doc->appendChild($el);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($el);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($child->ownerDocument === $doc);
+?>
+--EXPECT--
+<?xml version="1.0"?>
+<name><child/></name>
+<newname/>
+Wrong Document Error
+bool(true)

Original file line number	Diff line number	Diff line change
`@@ -1024,6 +1024,7 @@ PHP_METHOD(DOMNode, insertBefore)`
`1024`	`1024`	`}`
`1025`	`1025`
`1026`	`1026`	`if (child->doc == NULL && parentp->doc != NULL) {`
	`1027`	`+ xmlSetTreeDoc(child, parentp->doc);`
`1027`	`1028`	`dom_set_document_ref_pointers(child, intern->document);`
`1028`	`1029`	`}`
`1029`	`1030`
`@@ -1188,6 +1189,7 @@ PHP_METHOD(DOMNode, replaceChild)`
`1188`	`1189`	`}`
`1189`	`1190`
`1190`	`1191`	`if (newchild->doc == NULL && nodep->doc != NULL) {`
	`1192`	`+ xmlSetTreeDoc(newchild, nodep->doc);`
`1191`	`1193`	`dom_set_document_ref_pointers(newchild, intern->document);`
`1192`	`1194`	`}`
`1193`	`1195`
`@@ -1291,6 +1293,7 @@ PHP_METHOD(DOMNode, appendChild)`
`1291`	`1293`	`}`
`1292`	`1294`
`1293`	`1295`	`if (child->doc == NULL && nodep->doc != NULL) {`
	`1296`	`+ xmlSetTreeDoc(child, nodep->doc);`
`1294`	`1297`	`dom_set_document_ref_pointers(child, intern->document);`
`1295`	`1298`	`}`
`1296`	`1299`