Fix bug #66502: DOM document dangling reference

When we decrement the refcount of a node's document, we state that we
won't need it anymore. Therefore we can *always* set the pointer to the
document to NULL, what avoids invalid memory accesses for some edge cases
as demonstrated with the PHPT.

Original patch provided by Sean Heelan.

3 files changed, 24 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index a9ca67ad8c..455e44b842 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,9 @@ PHP                                                                        NEWS
   . Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails
     parsing). (derick)
 
+- DOM:
+  . Fixed bug #66502 (DOM document dangling reference). (Sean Heelan, cmb)
+
 - Filter:
   . Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8
     range). (bugs dot php dot net at majkl578 dot cz)
diff --git a/ext/dom/tests/bug66502.phpt b/ext/dom/tests/bug66502.phpt
new file mode 100644
index 0000000000..5b35b41e93
--- /dev/null
+++ b/ext/dom/tests/bug66502.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #66502 (DOM document dangling reference)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip requires ext/dom');
+?>
+--FILE--
+<?php
+$dom = new DOMDocument('1.0', 'UTF-8');
+$element = $dom->appendChild(new DOMElement('root'));
+$comment = new DOMComment("Comment 0");
+$comment = $element->appendChild($comment);
+
+$comment->__construct("Comment 1");
+$comment->__construct("Comment 2");
+$comment->__construct("Comment 3");
+echo 'DONE', PHP_EOL;
+?>
+--EXPECT--
+DONE
\ No newline at end of file
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
index bd0016b79f..b252cb6d81 100644
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -1272,8 +1272,8 @@ PHP_LIBXML_API int php_libxml_decrement_doc_ref(php_libxml_node_object *object T
 				efree(object->document->doc_props);
 			}
 			efree(object->document);
-			object->document = NULL;
 		}
+		object->document = NULL;
 	}
 
 	return ret_refcount;