ext/dom: Fix UAF in custom XPath function

afflerbach · afflerbach · commit f527fab8d64c · 2026-05-18T10:19:57.000+02:00
Co-authored-by: David CARLIER devnexen@gmail.com
diff --git a/ext/dom/tests/bug22077.phpt b/ext/dom/tests/bug22077.phpt
@@ -0,0 +1,25 @@
+--TEST--
+test for issue #22077
+--DESCRIPTION--
+Registers a custom XPath function providing nodes from a new document.
+Results in a heap UAF in request shutdown if these nodes are accessed further
+down the road without protecting their origin document from GC.
+Build with '-fsanitize=address' or test with 'valgrind' or '-m'.
+--FILE--
+<?php
+$document = new DOMDocument;
+$xpath = new DOMXPath($document);
+$xpath->registerNamespace("my", "my.ns");
+$xpath->registerPHPFunctionNS('my.ns', 'include', function(): DOMElement {
+    $includedDocument = new DOMDocument;
+    $includedDocument->loadXML('<root><uaf/><node/><uaf/></root>');
+    return $includedDocument->documentElement;
+});
+$nodeset = $xpath->query('my:include()/uaf');
+$node = $nodeset->item(0);
+var_dump($nodeset->length);
+var_dump($node->ownerDocument->saveXML($node));
+?>
+--EXPECT--
+int(2)
+string(6) "<uaf/>"
diff --git a/ext/dom/xpath.c b/ext/dom/xpath.c
@@ -35,6 +35,24 @@
 
 #ifdef LIBXML_XPATH_ENABLED
 
+static dom_object *dom_xpath_intern_for_doc(dom_xpath_object *xpath_obj, xmlDocPtr doc)
+{
+	if (xpath_obj->dom.document && xpath_obj->dom.document->ptr == doc) {
+		return &xpath_obj->dom;
+	}
+	HashTable *node_list = xpath_obj->xpath_callbacks.node_list;
+	if (node_list) {
+		zval *entry;
+		ZEND_HASH_PACKED_FOREACH_VAL(node_list, entry) {
+			dom_object *obj = Z_DOMOBJ_P(entry);
+			if (obj->document && obj->document->ptr == doc) {
+				return obj;
+			}
+		} ZEND_HASH_FOREACH_END();
+	}
+	return &xpath_obj->dom;
+}
+
 void dom_xpath_objects_free_storage(zend_object *object)
 {
 	dom_xpath_object *intern = php_xpath_obj_from_obj(object);
@@ -357,7 +375,8 @@ static void php_xpath_eval(INTERNAL_FUNCTION_PARAMETERS, int type, bool modern)
 
 						node = php_dom_create_fake_namespace_decl(nsparent, original, &child, parent_intern);
 					} else {
-						php_dom_create_object(node, &child, &intern->dom);
+						dom_object *parent = dom_xpath_intern_for_doc(intern, node->doc);
+						php_dom_create_object(node, &child, parent);
 					}
 					add_next_index_zval(&retval, &child);
 				}
