From 4ee275fd59fc9ec33361789e44a16dd030a7e819 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 28 Mar 2026 14:21:35 +0000 Subject: [PATCH 1/2] Fix GH-21548: Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS(). The xmlns attribute unlinking code in dom_relink_ns_decls_element was clobbering attr->prev instead of updating the predecessor's next pointer, leaving non-first xmlns attributes reachable in the properties list. C14N then output them both as nsDef entries and as attributes. close GH-21566 --- NEWS | 4 ++++ ext/dom/node.c | 2 +- ext/dom/tests/modern/xml/gh21548.phpt | 17 +++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 ext/dom/tests/modern/xml/gh21548.phpt diff --git a/NEWS b/NEWS index dc0e430775f18..8ed1497997a7e 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ PHP NEWS . Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal) +- DOM: + . Fixed bug GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns + declarations after setAttributeNS()). (David Carlier) + - SPL: . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias) diff --git a/ext/dom/node.c b/ext/dom/node.c index 9c1a508d669e9..83404d0f598da 100644 --- a/ext/dom/node.c +++ b/ext/dom/node.c @@ -2132,7 +2132,7 @@ static void dom_relink_ns_decls_element(HashTable *links, xmlNodePtr node) ns->_private = attr; if (attr->prev) { - attr->prev = attr->next; + attr->prev->next = attr->next; } else { node->properties = attr->next; } diff --git a/ext/dom/tests/modern/xml/gh21548.phpt b/ext/dom/tests/modern/xml/gh21548.phpt new file mode 100644 index 0000000000000..55299c8d6e679 --- /dev/null +++ b/ext/dom/tests/modern/xml/gh21548.phpt @@ -0,0 +1,17 @@ +--TEST-- +GH-21548 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()) +--CREDITS-- +Toon Verwerft (veewee) +--EXTENSIONS-- +dom +--FILE-- +'); +$doc->documentElement->setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:ns1", "urn:a"); + +echo $doc->C14N() . PHP_EOL; + +?> +--EXPECT-- + From d4f069102253dcb9f6274af139001f8184eb826c Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 25 Mar 2026 16:54:32 +0100 Subject: [PATCH 2/2] Fix incorrect RC-handling for ZEND_EXT_STMT op1 Fixes GH-21504 Closes GH-21528 --- NEWS | 1 + Zend/tests/gh21504.inc | 3 +++ Zend/tests/gh21504.phpt | 12 ++++++++++++ Zend/zend_compile.c | 3 +++ 4 files changed, 19 insertions(+) create mode 100644 Zend/tests/gh21504.inc create mode 100644 Zend/tests/gh21504.phpt diff --git a/NEWS b/NEWS index 59848d6ab2725..9d69dbaf818af 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ PHP NEWS destructors). (iliaal) . Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. (henderkes) + . Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov) - Iconv: . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal) diff --git a/Zend/tests/gh21504.inc b/Zend/tests/gh21504.inc new file mode 100644 index 0000000000000..71dc5c2e61f64 --- /dev/null +++ b/Zend/tests/gh21504.inc @@ -0,0 +1,3 @@ + var_dump(...); diff --git a/Zend/tests/gh21504.phpt b/Zend/tests/gh21504.phpt new file mode 100644 index 0000000000000..5fd9eaff91ab6 --- /dev/null +++ b/Zend/tests/gh21504.phpt @@ -0,0 +1,12 @@ +--TEST-- +GH-21504: Incorrect RC-handling for ZEND_EXT_STMT op1 +--FILE-- + +--EXPECT-- +string(4) "1234" diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c index 80f85f421a331..8c748fc8ccc4c 100644 --- a/Zend/zend_compile.c +++ b/Zend/zend_compile.c @@ -1934,6 +1934,9 @@ static void zend_do_extended_stmt(znode* result) /* {{{ */ opline->opcode = ZEND_EXT_STMT; if (result) { + if (result->op_type == IS_CONST) { + Z_TRY_ADDREF(result->u.constant); + } SET_NODE(opline->op1, result); } }