Fix GH-15670: Polymorphic cache slot issue in DOM (#15676)

nielsdos · web-flow · commit 82c504fa9c36 · 2024-08-31T12:13:21.000+02:00
A cache slot can be hit with different DOM object types, so we should
check if we're still handling the same type.
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
@@ -370,13 +370,14 @@ static zend_always_inline const dom_prop_handler *dom_get_prop_handler(const dom
 	const dom_prop_handler *hnd = NULL;
 
 	if (obj->prop_handler != NULL) {
-		if (cache_slot) {
-			hnd = *cache_slot;
+		if (cache_slot && *cache_slot == obj->prop_handler) {
+			hnd = *(cache_slot + 1);
 		}
 		if (!hnd) {
 			hnd = zend_hash_find_ptr(obj->prop_handler, name);
 			if (cache_slot) {
-				*cache_slot = (void *) hnd;
+				*cache_slot = obj->prop_handler;
+				*(cache_slot + 1) = (void *) hnd;
 			}
 		}
 	}
@@ -419,12 +420,13 @@ zval *dom_write_property(zend_object *object, zend_string *name, zval *value, vo
 
 		zend_property_info *prop = NULL;
 		if (cache_slot) {
-			prop = *(cache_slot + 1);
+			ZEND_ASSERT(*cache_slot == obj->prop_handler);
+			prop = *(cache_slot + 2);
 		}
 		if (!prop) {
 			prop = zend_get_property_info(object->ce, name, /* silent */ true);
 			if (cache_slot) {
-				*(cache_slot + 1) = prop;
+				*(cache_slot + 2) = prop;
 			}
 		}
 
diff --git a/ext/dom/tests/gh15670.phpt b/ext/dom/tests/gh15670.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-15670 (Polymorphic cache slot issue in DOM)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument();
+$doc->loadHTML('<p id=x>foo</p>');
+$dom = DOM\XMLDocument::createFromString('<root/>');
+$child = $dom->documentElement->appendChild($dom->createElementNS('urn:a', 'child'));
+function test($child, $html) {
+    try {
+        $child->innerHTML = $html;
+    } catch (DOMException $e) {
+    }
+}
+test($child, '--></root><!--');
+test($doc, '<');
+echo $doc->saveXML(), "\n";
+echo $dom->saveXML(), "\n";
+?>
+--EXPECTF--
+Deprecated: Creation of dynamic property DOMDocument::$innerHTML is deprecated in %s on line %d
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html><body><p id="x">foo</p></body></html>
+
+<?xml version="1.0" encoding="UTF-8"?>
+<root><child xmlns="urn:a"/></root>

Original file line number	Diff line number	Diff line change
`@@ -370,13 +370,14 @@ static zend_always_inline const dom_prop_handler *dom_get_prop_handler(const dom`
`370`	`370`	`const dom_prop_handler *hnd = NULL;`
`371`	`371`
`372`	`372`	`if (obj->prop_handler != NULL) {`
`373`		`- if (cache_slot) {`
`374`		`- hnd = *cache_slot;`
	`373`	`+ if (cache_slot && *cache_slot == obj->prop_handler) {`
	`374`	`+ hnd = *(cache_slot + 1);`
`375`	`375`	`}`
`376`	`376`	`if (!hnd) {`
`377`	`377`	`hnd = zend_hash_find_ptr(obj->prop_handler, name);`
`378`	`378`	`if (cache_slot) {`
`379`		`- cache_slot = (void ) hnd;`
	`379`	`+ *cache_slot = obj->prop_handler;`
	`380`	`+ (cache_slot + 1) = (void ) hnd;`
`380`	`381`	`}`
`381`	`382`	`}`
`382`	`383`	`}`
`@@ -419,12 +420,13 @@ zval dom_write_property(zend_object object, zend_string name, zval value, vo`
`419`	`420`
`420`	`421`	`zend_property_info *prop = NULL;`
`421`	`422`	`if (cache_slot) {`
`422`		`- prop = *(cache_slot + 1);`
	`423`	`+ ZEND_ASSERT(*cache_slot == obj->prop_handler);`
	`424`	`+ prop = *(cache_slot + 2);`
`423`	`425`	`}`
`424`	`426`	`if (!prop) {`
`425`	`427`	`prop = zend_get_property_info(object->ce, name, /* silent */ true);`
`426`	`428`	`if (cache_slot) {`
`427`		`- *(cache_slot + 1) = prop;`
	`429`	`+ *(cache_slot + 2) = prop;`
`428`	`430`	`}`
`429`	`431`	`}`
`430`	`432`