Commit a97217d
committed
ext/dom: fix use-after-free with XPath callback returning foreign-document node.
Fix GH-22554
A PHP XPath callback that returns a node belonging to a document created
inside the callback (e.g. $d->documentElement of a throwaway DOMDocument)
parks that node in the DOMXPath node_list to keep it alive. When a sibling
callback consumes a node navigated into that foreign document, the proxy
object was created with the DOMXPath's own dom as parent, so it took a
reference on the wrong document and none on the foreign one. On teardown the
foreign document could be freed while the proxy still referenced it.
Route the proxy factory through dom_xpath_intern_for_doc() so the created
object shares the ref_obj of the node's actual document, mirroring the
query-result path.1 parent 9a14b9b commit a97217d
2 files changed
Lines changed: 38 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
77 | 77 | | |
78 | 78 | | |
79 | 79 | | |
80 | | - | |
| 80 | + | |
| 81 | + | |
81 | 82 | | |
82 | 83 | | |
83 | 84 | | |
| |||
0 commit comments