diff --git a/NEWS b/NEWS
index 0f6b6c9c520..22d40b50e95 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.4.0RC2
+- DOM:
+ . Fixed bug GH-16039 (Segmentation fault (access null pointer) in
+ ext/dom/parentnode/tree.c). (nielsdos)
+
- Opcache:
. Fixed bug GH-16009 (Segmentation fault with frameless functions and
undefined CVs). (nielsdos)
diff --git a/ext/dom/parentnode/tree.c b/ext/dom/parentnode/tree.c
index e3de2b9bfff..ef1ad42b68c 100644
--- a/ext/dom/parentnode/tree.c
+++ b/ext/dom/parentnode/tree.c
@@ -379,6 +379,11 @@ xmlNode* dom_zvals_to_single_node(php_libxml_ref_obj *document, xmlNode *context
newNodeObj = Z_DOMOBJ_P(&nodes[i]);
newNode = dom_object_get_node(newNodeObj);
+ if (UNEXPECTED(!newNode)) {
+ php_dom_throw_error(INVALID_STATE_ERR, /* strict */ true);
+ goto err;
+ }
+
if (!dom_is_pre_insert_valid_without_step_1(document, node, newNode, NULL, documentNode)) {
goto err;
}
diff --git a/ext/dom/tests/gh16039.phpt b/ext/dom/tests/gh16039.phpt
new file mode 100644
index 00000000000..48a862eda7b
--- /dev/null
+++ b/ext/dom/tests/gh16039.phpt
@@ -0,0 +1,31 @@
+--TEST--
+GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c)
+--EXTENSIONS--
+dom
+--FILE--
+appendChild($dom->createElement('root'));
+try {
+ $element->prepend('x', new DOMEntity);
+} catch (DOMException $e) {
+ echo $e->getMessage(), "\n";
+}
+echo $dom->saveXML();
+$dom->strictErrorChecking = false; // Should not have influence
+try {
+ $element->prepend('x', new DOMEntity);
+} catch (DOMException $e) {
+ echo $e->getMessage(), "\n";
+}
+echo $dom->saveXML();
+
+?>
+--EXPECT--
+Invalid State Error
+
+
+Invalid State Error
+
+