Test showing the issue

Author: afflerbach

ext/dom/tests/bug22077.phpt

@@ -0,0 +1,25 @@
+--TEST--
+test for issue #22077
+--DESCRIPTION--
+Registers a custom XPath function providing nodes from a new document.
+Results in a heap UAF in request shutdown if these nodes are accessed further
+down the road without protecting their origin document from GC.
+Build with '-fsanitize=address' or test with 'valgrind' or '-m'.
+--FILE--
+<?php
+$document = new DOMDocument;
+$xpath = new DOMXPath($document);
+$xpath->registerNamespace("my", "my.ns");
+$xpath->registerPHPFunctionNS('my.ns', 'include', function(): DOMElement {
+    $includedDocument = new DOMDocument;
+    $includedDocument->loadXML('<root><uaf/><node/><uaf/></root>');
+    return $includedDocument->documentElement;
+});
+$nodeset = $xpath->query('my:include()/uaf');
+$node = $nodeset->item(0);
+var_dump($nodeset->length);
+var_dump($node->ownerDocument->saveXML($node));
+?>
+--EXPECT--
+int(2)
+string(6) "<uaf/>"