From a08847ab39bb512d500cf196981a3e8780c83600 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 15 Mar 2021 10:26:50 +0100
Subject: Fix #66783: UAF when appending DOMDocument to element

According to the DOM standard, elements may only contain element, text,
processing instruction and comment nodes[1].  It is also specified that
a HierarchyRequestError should be thrown if a document is to be
inserted[2].  We follow that standard, and prevent the use-after-free
this way.

[1] <https://dom.spec.whatwg.org/#node-trees>
[2] <https://dom.spec.whatwg.org/#mutation-algorithms>

Closes GH-6765.
---
 ext/dom/php_dom.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'ext/dom/php_dom.c')

diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index 6bc72e9f97..2f2878d5e1 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -1302,9 +1302,13 @@ int dom_hierarchy(xmlNodePtr parent, xmlNodePtr child)
 {
 	xmlNodePtr nodep;
 
-    if (parent == NULL || child == NULL || child->doc != parent->doc) {
-        return SUCCESS;
-    }
+	if (parent == NULL || child == NULL || child->doc != parent->doc) {
+		return SUCCESS;
+	}
+
+	if (child->type == XML_DOCUMENT_NODE) {
+		return FAILURE;
+	}
 
 	nodep = parent;
 
-- 
cgit v1.2.1