Fix #79451: DOMDocument->replaceChild on doctype causes double free

We have to reset intSubset if replacing doctype with another doctype node.

Closes GH-9201.
Closes GH-9376.

Author: NathanFreeman

NEWS

@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
     (Tim Starling)
 
+- DOM:
+  . Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
+    (Nathan Freeman)
+
 - Streams:
   . Fixed bug GH-9316 ($http_response_header is wrong for long status line).
     (cmb, timwolla)

ext/dom/node.c

@@ -20,6 +20,7 @@
 #endif
 
 #include "php.h"
+
 #if defined(HAVE_LIBXML) && defined(HAVE_DOM)
 #include "php_dom.h"
 
@@ -1001,6 +1002,7 @@ PHP_METHOD(DOMNode, replaceChild)
 	xmlNodePtr children, newchild, oldchild, nodep;
 	dom_object *intern, *newchildobj, *oldchildobj;
 	int foundoldchild = 0, stricterror;
+	bool replacedoctype = false;
 
 	int ret;
 
@@ -1063,13 +1065,21 @@ PHP_METHOD(DOMNode, replaceChild)
 				dom_reconcile_ns(nodep->doc, newchild);
 			}
 		} else if (oldchild != newchild) {
+			xmlDtdPtr intSubset = xmlGetIntSubset(nodep->doc);
+			replacedoctype = (intSubset == (xmlDtd *) oldchild);
+
 			if (newchild->doc == NULL && nodep->doc != NULL) {
 				xmlSetTreeDoc(newchild, nodep->doc);
 				newchildobj->document = intern->document;
 				php_libxml_increment_doc_ref((php_libxml_node_object *)newchildobj, NULL);
 			}
+
 			xmlReplaceNode(oldchild, newchild);
 			dom_reconcile_ns(nodep->doc, newchild);
+
+			if (replacedoctype) {
+				nodep->doc->intSubset = (xmlDtd *) newchild;
+			}
 		}
 		DOM_RET_OBJ(oldchild, &ret, intern);
 		return;