Fix GH-21496: UAF in dom_objects_free_storage.

devnexen · devnexen · commit d17a99789b7f · 2026-03-24T12:23:25.000Z
Cloning a non-document DOM node creates a copy within the same
xmlDoc. importStylesheet then passes that original document to
xsltParseStylesheetDoc, which may strip and free nodes during
processing, invalidating PHP objects still referencing them.

Resolve the ownerDocument for non-document nodes and clone that
instead.
diff --git a/ext/xsl/tests/gh21496.phpt b/ext/xsl/tests/gh21496.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-21496 (UAF in dom_objects_free_storage when importing non-document node as stylesheet)
+--EXTENSIONS--
+dom
+xsl
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$comment = new DOMComment("my value");
+$doc = new DOMDocument();
+$doc->loadXML(<<<XML
+<container/>
+XML);
+$doc->documentElement->appendChild($comment);
+$proc = new XSLTProcessor();
+var_dump($proc->importStylesheet($comment));
+?>
+--EXPECTF--
+Warning: XSLTProcessor::importStylesheet(): compilation error: file %s line 1 element container in %s on line %d
+
+Warning: XSLTProcessor::importStylesheet(): xsltParseStylesheetProcess : document is not a stylesheet in %s on line %d
+bool(false)
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
@@ -167,14 +167,39 @@ PHP_METHOD(XSLTProcessor, importStylesheet)
 	xsltStylesheetPtr sheetp;
 	bool clone_docu = false;
 	xmlNode *nodep = NULL;
-	zval *cloneDocu, rv, clone_zv;
+	zval *cloneDocu, rv, clone_zv, owner_zv;
 	zend_string *member;
 
 	id = ZEND_THIS;
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "o", &docp) == FAILURE) {
 		RETURN_THROWS();
 	}
 
+	nodep = php_libxml_import_node(docp);
+	if (nodep == NULL) {
+		zend_argument_type_error(1, "must be a valid XML node");
+		RETURN_THROWS();
+	}
+
+	ZVAL_UNDEF(&owner_zv);
+
+	/* For non-document nodes, resolve the ownerDocument and clone that
+	 * instead as xsltParseStylesheetProcess may free nodes in the document. */
+	if (nodep->type != XML_DOCUMENT_NODE && nodep->type != XML_HTML_DOCUMENT_NODE) {
+		if (nodep->doc == NULL) {
+			zend_argument_value_error(1, "must be part of a document");
+			RETURN_THROWS();
+		}
+
+		php_dom_create_object((xmlNodePtr) nodep->doc, &owner_zv, php_dom_obj_from_obj(Z_OBJ_P(docp)));
+		docp = &owner_zv;
+	}
+
+	if (Z_OBJ_HANDLER_P(docp, clone_obj) == NULL) {
+		zend_argument_type_error(1, "must be a cloneable document");
+		RETURN_THROWS();
+	}
+
 	/* libxslt uses _private, so we must copy the imported
 	 * stylesheet document otherwise the node proxies will be a mess.
 	 * We will clone the object and detach the libxml internals later. */
@@ -183,6 +208,7 @@ PHP_METHOD(XSLTProcessor, importStylesheet)
 		RETURN_THROWS();
 	}
 
+	zval_ptr_dtor(&owner_zv);
 	ZVAL_OBJ(&clone_zv, clone);
 	nodep = php_libxml_import_node(&clone_zv);
 
