diff options
| author | Remi Collet <remi@remirepo.net> | 2026-05-07 10:15:48 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2026-05-07 10:15:48 +0200 |
| commit | 544e29f1e739eb8ab335c130788d46161141d338 (patch) | |
| tree | ffdbfd2c6808eb9483c1c8e669714a30b691e7a6 /php-cve-2026-7259.patch | |
| parent | 77305ec39e7214bd36a29a98dffa6f1a74ec343f (diff) | |
CVE-2026-6735
Fix Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
CVE-2026-7259
Fix SQL injection via NUL bytes in quoted strings
CVE-2025-14179
Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
CVE-2026-6722
Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
CVE-2026-7261
Fix Broken Apache map value NULL check
CVE-2026-7262
Fix Signed integer overflow of char array offset
CVE-2026-7568
Fix Consistently pass unsigned char to ctype.h functions
CVE-2026-7258
Diffstat (limited to 'php-cve-2026-7259.patch')
| -rw-r--r-- | php-cve-2026-7259.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/php-cve-2026-7259.patch b/php-cve-2026-7259.patch new file mode 100644 index 0000000..13393af --- /dev/null +++ b/php-cve-2026-7259.patch @@ -0,0 +1,66 @@ +From 785bcb5dd5980a4f3173ab0b80c70a5602bc9339 Mon Sep 17 00:00:00 2001 +From: vi3tL0u1s <luuviethoang.attt@gmail.com> +Date: Sun, 3 May 2026 20:02:21 +0200 +Subject: [PATCH 05/10] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer + dereference in php_mb_check_encoding() via mb_ereg_search_init() + +Fixes GHSA-wm6j-2649-pv75 +Fixes CVE-2026-7259 + +(cherry picked from commit 79a054eae016c56409432e69aebc8ca908a88838) +--- + Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++ + ext/mbstring/php_mbregex.c | 7 ++++++- + 2 files changed, 28 insertions(+), 1 deletion(-) + create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt + +diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt +new file mode 100644 +index 00000000000..7257af27cb8 +--- /dev/null ++++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() ++--CREDITS-- ++vi3tL0u1s ++--EXTENSIONS-- ++mbstring ++--SKIPIF-- ++<?php ++if (!function_exists('mb_regex_encoding')) die('skip No mbregex support'); ++?> ++--FILE-- ++<?php ++// iso-8859-11 is supported by Oniguruma but not by mbfl ++mb_regex_encoding('iso-8859-11'); ++mb_ereg_search_init('x'); ++?> ++--EXPECTF-- ++Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d ++Stack trace: ++#0 %s(%d): mb_regex_encoding('iso-8859-11') ++#1 {main} ++ thrown in %s on line %d +diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c +index 06f65f5c567..0734011f9fb 100644 +--- a/ext/mbstring/php_mbregex.c ++++ b/ext/mbstring/php_mbregex.c +@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname) + if (mbctype == ONIG_ENCODING_UNDEF) { + return FAILURE; + } ++ const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname); ++ if (mbfl_enc == NULL) { ++ /* Encoding supported by Oniguruma but not by mbfl */ ++ return FAILURE; ++ } + MBREX(current_mbctype) = mbctype; +- MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname); ++ MBREX(current_mbctype_mbfl_encoding) = mbfl_enc; + return SUCCESS; + } + /* }}} */ +-- +2.54.0 + |