diff --git a/ext/dom/tests/gh22077.phpt b/ext/dom/tests/gh22077.phpt
new file mode 100644
index 000000000000..fd4e42cc8aaf
--- /dev/null
+++ b/ext/dom/tests/gh22077.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-22077 (UAF in custom XPath function)
+--FILE--
+registerNamespace("my", "my.ns");
+$xpath->registerPHPFunctionNS('my.ns', 'include', function(): DOMElement {
+ $includedDocument = new DOMDocument;
+ $includedDocument->loadXML('');
+ return $includedDocument->documentElement;
+});
+$nodeset = $xpath->query('my:include()/uaf');
+$node = $nodeset->item(0);
+var_dump($nodeset->length);
+var_dump($node->ownerDocument->saveXML($node));
+?>
+--EXPECT--
+int(2)
+string(6) ""
diff --git a/ext/dom/xpath.c b/ext/dom/xpath.c
index 21baa59ffed0..199dc96af40e 100644
--- a/ext/dom/xpath.c
+++ b/ext/dom/xpath.c
@@ -35,6 +35,24 @@
#ifdef LIBXML_XPATH_ENABLED
+static dom_object *dom_xpath_intern_for_doc(dom_xpath_object *xpath_obj, xmlDocPtr doc)
+{
+ if (xpath_obj->dom.document && xpath_obj->dom.document->ptr == doc) {
+ return &xpath_obj->dom;
+ }
+ HashTable *node_list = xpath_obj->xpath_callbacks.node_list;
+ if (node_list) {
+ zval *entry;
+ ZEND_HASH_PACKED_FOREACH_VAL(node_list, entry) {
+ dom_object *obj = Z_DOMOBJ_P(entry);
+ if (obj->document && obj->document->ptr == doc) {
+ return obj;
+ }
+ } ZEND_HASH_FOREACH_END();
+ }
+ return &xpath_obj->dom;
+}
+
void dom_xpath_objects_free_storage(zend_object *object)
{
dom_xpath_object *intern = php_xpath_obj_from_obj(object);
@@ -357,7 +375,8 @@ static void php_xpath_eval(INTERNAL_FUNCTION_PARAMETERS, int type, bool modern)
node = php_dom_create_fake_namespace_decl(nsparent, original, &child, parent_intern);
} else {
- php_dom_create_object(node, &child, &intern->dom);
+ dom_object *parent = dom_xpath_intern_for_doc(intern, node->doc);
+ php_dom_create_object(node, &child, parent);
}
add_next_index_zval(&retval, &child);
}