[pull] master from php:master

.github/CODEOWNERS

@@ -29,15 +29,16 @@
 /ext/json @bukka
 /ext/libxml @nielsdos
 /ext/mbstring @alexdowad @youkidearitai
-/ext/mysqlnd @SakiTakamachi
+/ext/mysqli @bukka @kamil-tekiela
+/ext/mysqlnd @bukka @kamil-tekiela @SakiTakamachi
 /ext/odbc @NattyNarwhal
 /ext/opcache @dstogov
 /ext/openssl @bukka
 /ext/pcntl @devnexen
 /ext/pdo @SakiTakamachi
 /ext/pdo_dblib @SakiTakamachi
 /ext/pdo_firebird @SakiTakamachi
-/ext/pdo_mysql @SakiTakamachi
+/ext/pdo_mysql @kamil-tekiela @SakiTakamachi
 /ext/pdo_odbc @NattyNarwhal @SakiTakamachi
 /ext/pdo_pgsql @devnexen @SakiTakamachi
 /ext/pdo_sqlite @SakiTakamachi

ext/dom/php_dom.c

@@ -1465,6 +1465,10 @@ void dom_namednode_iter(dom_object *basenode, int ntype, dom_object *intern, xml
 	mapptr->baseobj = basenode;
 	mapptr->nodetype = ntype;
 	mapptr->ht = ht;
+	if (EXPECTED(doc != NULL)) {
+		mapptr->dict = doc->dict;
+		xmlDictReference(doc->dict);
+	}
 
 	const xmlChar* tmp;
 
@@ -1578,6 +1582,7 @@ void dom_nnodemap_objects_free_storage(zend_object *object) /* {{{ */
 		if (!Z_ISUNDEF(objmap->baseobj_zv)) {
 			zval_ptr_dtor(&objmap->baseobj_zv);
 		}
+		xmlDictFree(objmap->dict);
 		efree(objmap);
 		intern->ptr = NULL;
 	}
@@ -1609,6 +1614,7 @@ zend_object *dom_nnodemap_objects_new(zend_class_entry *class_type)
 	objmap->cached_length = -1;
 	objmap->cached_obj = NULL;
 	objmap->cached_obj_index = 0;
+	objmap->dict = NULL;
 
 	return &intern->std;
 }

ext/dom/php_dom.h

@@ -88,6 +88,7 @@ typedef struct dom_nnodemap_object {
 	php_libxml_cache_tag cache_tag;
 	dom_object *cached_obj;
 	zend_long cached_obj_index;
+	xmlDictPtr dict;
 	bool free_local : 1;
 	bool free_ns : 1;
 } dom_nnodemap_object;

ext/dom/tests/gh16906.phpt

@@ -0,0 +1,17 @@
+--TEST--
+GH-16906 (Reloading document can cause UAF in iterator)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');
+$list = $doc->getElementsByTagName('strong');
+$doc->load(__DIR__."/book.xml");
+var_dump($list);
+?>
+--EXPECT--
+object(DOMNodeList)#2 (1) {
+  ["length"]=>
+  int(0)
+}

ext/mysqli/tests/fake_server.inc

@@ -552,8 +552,8 @@ class my_mysqli_fake_server_conn
 
     public function read($bytes_len = 1024)
     {
-        // wait 10ms to fill the buffer
-        usleep(10000);
+        // wait 20ms to fill the buffer
+        usleep(20000);
         $data = fread($this->conn, $bytes_len);
         if ($data) {
             fprintf(STDERR, "[*] Received: %s\n", bin2hex($data));

ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt

@@ -6,7 +6,7 @@ mysqli
 <?php
 require_once 'fake_server.inc';
 
-$port = 50001;
+$port = 33305;
 $servername = "127.0.0.1";
 $username = "root";
 $password = "";
@@ -34,5 +34,5 @@ print "done!";
 [*] Sending - Malicious OK Auth Response [Extract heap through buffer over-read]: 0900000200000002000000fcff
 
 Warning: mysqli::__construct(): OK packet message length is past the packet size in %s on line %d
-Unknown error while trying to connect via tcp://127.0.0.1:50001
+Unknown error while trying to connect via tcp://127.0.0.1:33305
 done!