Skip to content

ext/dom: fix use-after-free with XPath callback returning foreign-doc…#22562

Open
devnexen wants to merge 1 commit into
php:masterfrom
devnexen:gh22554
Open

ext/dom: fix use-after-free with XPath callback returning foreign-doc…#22562
devnexen wants to merge 1 commit into
php:masterfrom
devnexen:gh22554

Conversation

@devnexen

@devnexen devnexen commented Jul 2, 2026

Copy link
Copy Markdown
Member

…ument node.

Fix GH-22554

A PHP XPath callback that returns a node belonging to a document created inside the callback (e.g. $d->documentElement of a throwaway DOMDocument) parks that node in the DOMXPath node_list to keep it alive. When a sibling callback consumes a node navigated into that foreign document, the proxy object was created with the DOMXPath's own dom as parent, so it took a reference on the wrong document and none on the foreign one. On teardown the foreign document could be freed while the proxy still referenced it.

Route the proxy factory through dom_xpath_intern_for_doc() so the created object shares the ref_obj of the node's actual document, mirroring the query-result path.

…ument node.

Fix phpGH-22554

A PHP XPath callback that returns a node belonging to a document created
inside the callback (e.g. $d->documentElement of a throwaway DOMDocument)
parks that node in the DOMXPath node_list to keep it alive. When a sibling
callback consumes a node navigated into that foreign document, the proxy
object was created with the DOMXPath's own dom as parent, so it took a
reference on the wrong document and none on the foreign one. On teardown the
foreign document could be freed while the proxy still referenced it.

Route the proxy factory through dom_xpath_intern_for_doc() so the created
object shares the ref_obj of the node's actual document, mirroring the
query-result path.

close phpGH-22562
@devnexen devnexen marked this pull request as ready for review July 3, 2026 04:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Use-After-Free in DOMXPath custom-function path

1 participant