diff --git a/NEWS b/NEWS
index e64bf74a8e7..bf7551b2372 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.3.13
+- DOM:
+ . Fixed bug GH-16039 (Segmentation fault (access null pointer) in
+ ext/dom/parentnode/tree.c). (nielsdos)
+
- PHPDBG:
. Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)
diff --git a/ext/dom/parentnode.c b/ext/dom/parentnode.c
index d656d92d6de..947c8b3f991 100644
--- a/ext/dom/parentnode.c
+++ b/ext/dom/parentnode.c
@@ -265,6 +265,11 @@ static zend_result dom_sanity_check_node_list_for_insertion(php_libxml_ref_obj *
if (instanceof_function(ce, dom_node_class_entry)) {
xmlNodePtr node = dom_object_get_node(Z_DOMOBJ_P(nodes + i));
+ if (!node) {
+ php_dom_throw_error(INVALID_STATE_ERR, /* strict */ true);
+ return FAILURE;
+ }
+
if (node->doc != documentNode) {
php_dom_throw_error(WRONG_DOCUMENT_ERR, dom_get_strict_error(document));
return FAILURE;
diff --git a/ext/dom/tests/gh16039.phpt b/ext/dom/tests/gh16039.phpt
new file mode 100644
index 00000000000..48a862eda7b
--- /dev/null
+++ b/ext/dom/tests/gh16039.phpt
@@ -0,0 +1,31 @@
+--TEST--
+GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c)
+--EXTENSIONS--
+dom
+--FILE--
+appendChild($dom->createElement('root'));
+try {
+ $element->prepend('x', new DOMEntity);
+} catch (DOMException $e) {
+ echo $e->getMessage(), "\n";
+}
+echo $dom->saveXML();
+$dom->strictErrorChecking = false; // Should not have influence
+try {
+ $element->prepend('x', new DOMEntity);
+} catch (DOMException $e) {
+ echo $e->getMessage(), "\n";
+}
+echo $dom->saveXML();
+
+?>
+--EXPECT--
+Invalid State Error
+
+
+Invalid State Error
+
+