From 6083dc09a3d760074941c17e7eb10e606768a5fe Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 7 Mar 2025 17:37:40 +0100
Subject: [PATCH] Fix GH-17991: Assertion failure dom_attr_value_write

Closes GH-17995.
---
 NEWS                       |  3 +++
 ext/dom/php_dom.c          |  7 ++++---
 ext/dom/tests/gh17991.phpt | 28 ++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 ext/dom/tests/gh17991.phpt

diff --git a/NEWS b/NEWS
index 77446730edb..34f75683d71 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-17913 (ReflectionFunction::isDeprecated() returns incorrect
     results for closures created from magic __call()). (timwolla)
 
+- DOM:
+  . Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos)
+
 - Opcache:
   . Fixed bug GH-15834 (Segfault with hook "simple get" cache slot and minimal
     JIT). (nielsdos)
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index f84f17fee2e..819d22712eb 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -372,13 +372,14 @@ static zend_always_inline const dom_prop_handler *dom_get_prop_handler(const dom
 
 	if (obj->prop_handler != NULL) {
 		if (cache_slot && *cache_slot == obj->prop_handler) {
-			hnd = *(cache_slot + 1);
+			hnd = cache_slot[1];
 		}
 		if (!hnd) {
 			hnd = zend_hash_find_ptr(obj->prop_handler, name);
 			if (cache_slot) {
-				*cache_slot = obj->prop_handler;
-				*(cache_slot + 1) = (void *) hnd;
+				cache_slot[0] = obj->prop_handler;
+				cache_slot[1] = (void *) hnd;
+				cache_slot[2] = NULL;
 			}
 		}
 	}
diff --git a/ext/dom/tests/gh17991.phpt b/ext/dom/tests/gh17991.phpt
new file mode 100644
index 00000000000..4fc2c5b4ec1
--- /dev/null
+++ b/ext/dom/tests/gh17991.phpt
@@ -0,0 +1,28 @@
+--TEST--
+GH-17991 (Assertion failure dom_attr_value_write)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$attr = new DOMAttr("r", "iL");
+class Box {
+    public ?Test $value;
+}
+class Test {
+}
+function test($box) {
+    var_dump($box->value = new Test);
+}
+$box = new Box();
+test($box);
+test($attr);
+?>
+--EXPECTF--
+object(Test)#%d (0) {
+}
+
+Fatal error: Uncaught TypeError: Cannot assign Test to property DOMAttr::$value of type string in %s:%d
+Stack trace:
+#0 %s(%d): test(Object(DOMAttr))
+#1 {main}
+  thrown in %s on line %d