Null pointer dereference in DOM namespace node cloning via clone on malformed objects

[vi3tL0u1s]

Description

The following code:

<?php
foreach (get_declared_classes() as $class) {
   try {
      $clonedObj = clone new $class($t=11);
   } catch (Throwable) {}
}

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==103221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561a8b12f64f bp 0x7fff95121c50 sp 0x7fff95121c10 T0)
==103221==The signal is caused by a READ memory access.
==103221==Hint: address points to the zero page.
    #0 0x561a8b12f64f in dom_object_namespace_node_clone_obj /path/to/php-src/ext/dom/php_dom.c:718
    #1 0x561a8c0e840d in ZEND_CLONE_SPEC_TMPVAR_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:15825
    #2 0x561a8c1f5aac in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:118365
    #3 0x561a8c203159 in zend_execute /path/to/php-src/Zend/zend_vm_execute.h:121924
    #4 0x561a8c371c91 in zend_execute_script /path/to/php-src/Zend/zend.c:1981
    #5 0x561a8bd8f300 in php_execute_script_ex /path/to/php-src/main/main.c:2645
    #6 0x561a8bd8f76b in php_execute_script /path/to/php-src/main/main.c:2685
    #7 0x561a8c377c12 in do_cli /path/to/php-src/sapi/cli/php_cli.c:951
    #8 0x561a8c37a382 in main /path/to/php-src/sapi/cli/php_cli.c:1362
    #9 0x7f4c7d5c0d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x7f4c7d5c0e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #11 0x561a8ae06eb4 in _start (/path/to/php-src/sapi/cli/php+0x606eb4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/php-src/ext/dom/php_dom.c:718 in dom_object_namespace_node_clone_obj
==103221==ABORTING

Commit

95abeba7490

Configurations

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.6.0-dev (cli) (built: Dec 18 2025 11:55:28) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[devnexen]

can reproduce, the clone returning null because the internal pointer is null ; but that the extent of my knowledge thus cc @ndossche :)