From 1d5089e5740b6831485b17bddf482f4d91894305 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 30 Jun 2025 18:48:27 +0200
Subject: [PATCH] Fix GH-18979: DOM\XMLDocument::createComment() triggers
 undefined behavior with null byte

Closes GH-18983.
---
 NEWS                                  |  4 ++++
 ext/dom/tests/modern/xml/gh18979.phpt | 13 +++++++++++++
 ext/dom/xml_serializer.c              |  6 +++++-
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 ext/dom/tests/modern/xml/gh18979.phpt

diff --git a/NEWS b/NEWS
index 1af91056238..6bc566be390 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,10 @@ PHP                                                                        NEWS
   . Fix memory leaks when returning refcounted value from curl callback.
     (nielsdos)
 
+- DOM:
+  . Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined
+    behavior with null byte). (nielsdos)
+
 - LDAP:
   . Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty
     request OID. (David Carlier)
diff --git a/ext/dom/tests/modern/xml/gh18979.phpt b/ext/dom/tests/modern/xml/gh18979.phpt
new file mode 100644
index 00000000000..3a90bd58377
--- /dev/null
+++ b/ext/dom/tests/modern/xml/gh18979.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-18979 (DOM\XMLDocument::createComment() triggers undefined behavior with null byte)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$dom = Dom\XMLDocument::createEmpty();
+$container = $dom->createElement("container");
+$container->append($dom->createComment("\0"));
+var_dump($container->innerHTML);
+?>
+--EXPECT--
+string(7) "<!---->"
diff --git a/ext/dom/xml_serializer.c b/ext/dom/xml_serializer.c
index debbb41fdad..a4b46082b0e 100644
--- a/ext/dom/xml_serializer.c
+++ b/ext/dom/xml_serializer.c
@@ -640,7 +640,11 @@ static int dom_xml_serialize_comment_node(xmlOutputBufferPtr out, xmlNodePtr com
 		const xmlChar *ptr = comment->content;
 		if (ptr != NULL) {
 			TRY(dom_xml_check_char_production(ptr));
-			if (strstr((const char *) ptr, "--") != NULL || ptr[strlen((const char *) ptr) - 1] == '-') {
+			if (strstr((const char *) ptr, "--") != NULL) {
+				return -1;
+			}
+			size_t len = strlen((const char *) ptr);
+			if (len > 0 && ptr[len - 1] == '-') {
 				return -1;
 			}
 		}