Skip to content

Fix GH-21496: UAF in dom_objects_free_storage.#21500

Open
devnexen wants to merge 2 commits intophp:PHP-8.4from
devnexen:gh21496
Open

Fix GH-21496: UAF in dom_objects_free_storage.#21500
devnexen wants to merge 2 commits intophp:PHP-8.4from
devnexen:gh21496

Conversation

@devnexen
Copy link
Member

@devnexen devnexen commented Mar 23, 2026

Cloning a non-document DOM node creates a copy within the same xmlDoc. importStylesheet then passes that original document to xsltParseStylesheetDoc, which strips and frees nodes (including comment nodes) during processing, invalidating PHP objects still referencing them.

Validate that the imported node is a document node before proceeding with the clone.

@devnexen
Fix phpGH-21496: UAF in dom_objects_free_storage.
679b359 
Cloning a non-document DOM node creates a copy within the same
xmlDoc. importStylesheet then passes that original document to
xsltParseStylesheetDoc, which strips and frees nodes (including
comment nodes) during processing, invalidating PHP objects still
referencing them.

Validate that the imported node is a document node before
proceeding with the clone.
@devnexen devnexen marked this pull request as ready for review March 23, 2026 08:54
@devnexen devnexen requested a review from ndossche as a code owner March 23, 2026 08:54
@devnexen devnexen linked an issue Mar 23, 2026 that may be closed by this pull request
UAF Dom dom_objects_free_storage #21496
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndossche ndossche Awaiting requested review from ndossche ndossche is a code owner

Assignees

No one assigned

Labels

Extension: xsl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

UAF Dom dom_objects_free_storage

2 participants

@devnexen @iluuu1994