Fix GH-20722: Null pointer dereference in DOM namespace node cloning via clone on malformed objects

Closes GH-20730.

Author: ndossche

NEWS

@@ -13,6 +13,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20620 (bzcompress overflow on large source size).
     (David Carlier)
 
+- DOM:
+  . Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning
+    via clone on malformed objects). (ndossche)
+
 - GD:
   . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
 

ext/dom/php_dom.c

@@ -541,15 +541,17 @@ static zend_object *dom_object_namespace_node_clone_obj(zend_object *zobject)
 	zend_object *clone = dom_objects_namespace_node_new(intern->dom.std.ce);
 	dom_object_namespace_node *clone_intern = php_dom_namespace_node_obj_from_obj(clone);
 
-	xmlNodePtr original_node = dom_object_get_node(&intern->dom);
-	ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
-	xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
-
 	if (intern->parent_intern) {
 		clone_intern->parent_intern = intern->parent_intern;
 		GC_ADDREF(&clone_intern->parent_intern->std);
 	}
-	dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
+
+	xmlNodePtr original_node = dom_object_get_node(&intern->dom);
+	if (original_node != NULL) {
+		ZEND_ASSERT(original_node->type == XML_NAMESPACE_DECL);
+		xmlNodePtr cloned_node = php_dom_create_fake_namespace_decl_node_ptr(original_node->parent, original_node->ns);
+		dom_update_refcount_after_clone(&intern->dom, original_node, &clone_intern->dom, cloned_node);
+	}
 
 	zend_objects_clone_members(clone, &intern->dom.std);
 	return clone;

ext/dom/tests/gh20722.phpt

@@ -0,0 +1,13 @@
+--TEST--
+GH-20722 (Null pointer dereference in DOM namespace node cloning via clone on malformed objects)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+clone new DOMNameSpaceNode();
+echo "Done";
+
+?>
+--EXPECT--
+Done