Fix bug #80602: Segfault when using DOMChildNode::before()

This furthermore fixes the logic error explained in
#8729 (comment)

Closes GH-10682.

Author: NathanFreeman

NEWS

@@ -24,6 +24,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-10583 (DateTime modify with tz pattern should not update
     linked timezone). (Derick)
 
+- DOM:
+  . Fixed bug #80602 (Segfault when using DOMChildNode::before()).
+    (Nathan Freeman)
+
 - FPM:
   . Fixed bug GH-10611 (fpm_env_init_main leaks environ). (nielsdos)
   . Destroy file_handle in fpm_main. (Jakub Zelenka, nielsdos)

ext/dom/parentnode.c

@@ -181,8 +181,20 @@ xmlNode* dom_zvals_to_fragment(php_libxml_ref_obj *document, xmlNode *contextNod
 					return NULL;
 				}
 
+				/*
+				 * xmlNewDocText function will always returns same address to the second parameter if the parameters are greater than or equal to three.
+				 * If it's text, that's fine, but if it's an object, it can cause invalid pointer because many new nodes point to the same memory address.
+				 * So we must copy the new node to avoid this situation.
+				 */
+				if (nodesc > 1) {
+					newNode = xmlCopyNode(newNode, 1);
+				}
+
 				if (!xmlAddChild(fragment, newNode)) {
 					xmlFree(fragment);
+					if (nodesc > 1) {
+						xmlFreeNode(newNode);
+					}
 
 					php_dom_throw_error(HIERARCHY_REQUEST_ERR, stricterror);
 					return NULL;
@@ -302,7 +314,9 @@ void dom_parent_node_after(dom_object *context, zval *nodes, int nodesc)
 {
 	xmlNode *prevsib = dom_object_get_node(context);
 	xmlNodePtr newchild, parentNode;
-	xmlNode *fragment;
+	xmlNode *fragment, *nextsib;
+	xmlDoc *doc;
+	bool afterlastchild;
 
 	int stricterror = dom_get_strict_error(context->document);
 
@@ -311,7 +325,10 @@ void dom_parent_node_after(dom_object *context, zval *nodes, int nodesc)
 		return;
 	}
 
+	doc = prevsib->doc;
 	parentNode = prevsib->parent;
+	nextsib = prevsib->next;
+	afterlastchild = (nextsib == NULL);
 	fragment = dom_zvals_to_fragment(context->document, parentNode, nodes, nodesc);
 
 	if (fragment == NULL) {
@@ -321,13 +338,42 @@ void dom_parent_node_after(dom_object *context, zval *nodes, int nodesc)
 	newchild = fragment->children;
 
 	if (newchild) {
-		fragment->last->next = prevsib->next;
-		prevsib->next = newchild;
+		/* first node and last node are both both parameters to DOMElement::after() method so nextsib and prevsib are null. */
+		if (!parentNode->children) {
+			prevsib = nextsib = NULL;
+		} else if (afterlastchild) {
+			/*
+			 * The new node will be inserted after last node, prevsib is last node.
+			 * The first node is the parameter to DOMElement::after() if parentNode->children == prevsib is true
+			 * and prevsib does not change, otherwise prevsib is parentNode->last (first node).
+			 */
+			prevsib = parentNode->children == prevsib ? prevsib : parentNode->last;
+		} else {
+			/*
+			 * The new node will be inserted after first node, prevsib is first node.
+			 * The first node is not the parameter to DOMElement::after() if parentNode->children == prevsib is true
+			 * and prevsib does not change otherwise prevsib is null to mean that parentNode->children is the new node.
+			 */
+			prevsib = parentNode->children == prevsib ? prevsib : NULL;
+		}
 
-		newchild->prev = prevsib;
+		if (prevsib) {
+			fragment->last->next = prevsib->next;
+			if (prevsib->next) {
+				prevsib->next->prev = fragment->last;
+			}
+			prevsib->next = newchild;
+		} else {
+			parentNode->children = newchild;
+			if (nextsib) {
+				fragment->last->next = nextsib;
+				nextsib->prev = fragment->last;
+			}
+		}
 
+		newchild->prev = prevsib;
 		dom_fragment_assign_parent_node(parentNode, fragment);
-		dom_reconcile_ns(prevsib->doc, newchild);
+		dom_reconcile_ns(doc, newchild);
 	}
 
 	xmlFree(fragment);
@@ -337,10 +383,15 @@ void dom_parent_node_before(dom_object *context, zval *nodes, int nodesc)
 {
 	xmlNode *nextsib = dom_object_get_node(context);
 	xmlNodePtr newchild, prevsib, parentNode;
-	xmlNode *fragment;
+	xmlNode *fragment, *afternextsib;
+	xmlDoc *doc;
+	bool beforefirstchild;
 
+	doc = nextsib->doc;
 	prevsib = nextsib->prev;
+	afternextsib = nextsib->next;
 	parentNode = nextsib->parent;
+	beforefirstchild = !prevsib;
 	fragment = dom_zvals_to_fragment(context->document, parentNode, nodes, nodesc);
 
 	if (fragment == NULL) {
@@ -350,19 +401,40 @@ void dom_parent_node_before(dom_object *context, zval *nodes, int nodesc)
 	newchild = fragment->children;
 
 	if (newchild) {
+		/* first node and last node are both both parameters to DOMElement::before() method so nextsib is null. */
+		if (!parentNode->children) {
+			nextsib = NULL;
+		} else if (beforefirstchild) {
+			/*
+			 * The new node will be inserted before first node, nextsib is first node and afternextsib is last node.
+			 * The first node is not the parameter to DOMElement::before() if parentNode->children == nextsib is true
+			 * and nextsib does not change, otherwise nextsib is the last node.
+			 */
+			nextsib = parentNode->children == nextsib ? nextsib : afternextsib;
+		} else {
+			/*
+			 * The new node will be inserted before last node, prevsib is first node and nestsib is last node.
+			 * The first node is not the parameter to DOMElement::before() if parentNode->children == prevsib is true
+			 * but last node may be, so use prevsib->next to determine the value of nextsib, otherwise nextsib does not change.
+			 */
+			nextsib = parentNode->children == prevsib ? prevsib->next : nextsib;
+		}
+
 		if (parentNode->children == nextsib) {
 			parentNode->children = newchild;
 		} else {
 			prevsib->next = newchild;
 		}
+
 		fragment->last->next = nextsib;
-		nextsib->prev = fragment->last;
+		if (nextsib) {
+			nextsib->prev = fragment->last;
+		}
 
 		newchild->prev = prevsib;
 
 		dom_fragment_assign_parent_node(parentNode, fragment);
-
-		dom_reconcile_ns(nextsib->doc, newchild);
+		dom_reconcile_ns(doc, newchild);
 	}
 
 	xmlFree(fragment);

ext/dom/tests/bug80602.phpt

@@ -0,0 +1,178 @@
+--TEST--
+Bug #80602 (Segfault when using DOMChildNode::before())
+--FILE--
+<?php
+declare(strict_types=1);
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($doc->documentElement->lastChild);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($doc->documentElement->firstChild);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($target, $doc->documentElement->lastChild);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($doc->documentElement->lastChild, $target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($target, $doc->documentElement->firstChild);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($doc->documentElement->firstChild, $target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before('bar','baz');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before('bar','baz');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($target, 'bar','baz');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before('bar', $target, 'baz');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before('bar', 'baz', $target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($target, 'bar','baz');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before('bar', $target, 'baz');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before('bar', 'baz', $target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before('bar', $target, $doc->documentElement->lastChild);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($target, 'bar', $doc->documentElement->lastChild);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->firstChild;
+$target->before($target, $doc->documentElement->lastChild, 'bar');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before('bar', $doc->documentElement->firstChild, $target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($doc->documentElement->firstChild, 'bar', $target);
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+
+$doc = new \DOMDocument();
+$doc->loadXML('<a>foo<last/></a>');
+$target = $doc->documentElement->lastChild;
+$target->before($doc->documentElement->firstChild, $target, 'bar');
+echo $doc->saveXML($doc->documentElement).PHP_EOL;
+
+?>
+--EXPECTF--
+<a>foo<last/></a>
+<a>foo<last/></a>
+<a><last/>foo</a>
+<a>foo<last/></a>
+<a>foo<last/></a>
+<a><last/>foo</a>
+<a><last/>foo</a>
+<a>foo<last/></a>
+<a>barbazfoo<last/></a>
+<a>foobarbaz<last/></a>
+<a>foobarbaz<last/></a>
+<a>barfoobaz<last/></a>
+<a>barbazfoo<last/></a>
+<a>foo<last/>barbaz</a>
+<a>foobar<last/>baz</a>
+<a>foobarbaz<last/></a>
+<a>barfoo<last/></a>
+<a>foobar<last/></a>
+<a>foo<last/>bar</a>
+<a>barfoo<last/></a>
+<a>foobar<last/></a>
+<a>foo<last/>bar</a>