From 15064460d6682766f91c1a841d27cdfbc38907e8 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 01/10] GHSA-85c2-q967-79q5: [soap] Fix stale
 SOAP_GLOBAL(ref_map) pointer with Apache Map

Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722

(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
---
 ext/soap/php_encoding.c                 |  3 +-
 ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 4d389a8c585..bf394f7ea92 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -365,6 +365,7 @@ static bool soap_check_xml_ref(zval *data, xmlNodePtr node)
 static void soap_add_xml_ref(zval *data, xmlNodePtr node)
 {
 	if (SOAP_GLOBAL(ref_map)) {
+		Z_TRY_ADDREF_P(data);
 		zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
 	}
 }
@@ -3437,7 +3438,7 @@ void encode_reset_ns()
 	} else {
 		SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
 	}
-	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
 }
 
 void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 00000000000..8bcac26ad18
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+    public function test(...$args) {
+        $GLOBALS['result'] = $args;
+    }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+    <soapenv:Body>
+        <test>
+            <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+                <item>
+                    <key>foo</key>
+                    <value id="stale"><object>bar</object></value>
+                </item>
+                <item>
+                    <key>foo</key>
+                    <value>baz</value>
+                </item>
+            </map>
+            <stale href="#stale"/>
+        </test>
+    </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+  [0]=>
+  array(1) {
+    ["foo"]=>
+    string(3) "baz"
+  }
+  [1]=>
+  object(stdClass)#%d (1) {
+    ["object"]=>
+    string(3) "bar"
+  }
+}
-- 
2.54.0