From a4aa4f9772a6c30f69db8560cde1f5fe4545b174 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Fri, 15 Jul 2016 00:57:36 +0200
Subject: Fix bug #66502: DOM document dangling reference

When we decrement the refcount of a node's document, we state that we
won't need it anymore. Therefore we can *always* set the pointer to the
document to NULL, what avoids invalid memory accesses for some edge cases
as demonstrated with the PHPT.

Original patch provided by Sean Heelan.
---
 ext/libxml/libxml.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ext/libxml')

diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
index bd0016b79f..b252cb6d81 100644
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -1272,8 +1272,8 @@ PHP_LIBXML_API int php_libxml_decrement_doc_ref(php_libxml_node_object *object T
 				efree(object->document->doc_props);
 			}
 			efree(object->document);
-			object->document = NULL;
 		}
+		object->document = NULL;
 	}
 
 	return ret_refcount;
-- 
cgit v1.2.1