Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4:
  Fix #66783: UAF when appending DOMDocument to element

3 files changed, 29 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index fa1bf056eb..0da6240423 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2021, PHP 8.0.5
 
+- DOM:
+  . Fixed bug #66783 (UAF when appending DOMDocument to element). (cmb)
+
 - FFI:
   . Fixed bug #80847 (CData structs with fields of type struct can't be passed
     as C function argument). (Nickolas Daniel da Silva, Dmitry)
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index 78d22f6a5e..351c138622 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -1243,9 +1243,13 @@ int dom_hierarchy(xmlNodePtr parent, xmlNodePtr child)
 {
 	xmlNodePtr nodep;
 
-    if (parent == NULL || child == NULL || child->doc != parent->doc) {
-        return SUCCESS;
-    }
+	if (parent == NULL || child == NULL || child->doc != parent->doc) {
+		return SUCCESS;
+	}
+
+	if (child->type == XML_DOCUMENT_NODE) {
+		return FAILURE;
+	}
 
 	nodep = parent;
 
diff --git a/ext/dom/tests/bug66783.phpt b/ext/dom/tests/bug66783.phpt
new file mode 100644
index 0000000000..98981a88f6
--- /dev/null
+++ b/ext/dom/tests/bug66783.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #66783 (UAF when appending DOMDocument to element)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip dom extension not available');
+?>
+--FILE--
+<?php
+$doc = new DomDocument;
+$doc->loadXML('<root></root>');
+$e = $doc->createElement('e');
+try {
+    $e->appendChild($doc);
+} catch (DOMException $ex) {
+    echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+Hierarchy Request Error