From 785bcb5dd5980a4f3173ab0b80c70a5602bc9339 Mon Sep 17 00:00:00 2001 From: vi3tL0u1s Date: Sun, 3 May 2026 20:02:21 +0200 Subject: [PATCH 05/10] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() Fixes GHSA-wm6j-2649-pv75 Fixes CVE-2026-7259 (cherry picked from commit 79a054eae016c56409432e69aebc8ca908a88838) --- Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++ ext/mbstring/php_mbregex.c | 7 ++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt new file mode 100644 index 00000000000..7257af27cb8 --- /dev/null +++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt @@ -0,0 +1,22 @@ +--TEST-- +GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() +--CREDITS-- +vi3tL0u1s +--EXTENSIONS-- +mbstring +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d +Stack trace: +#0 %s(%d): mb_regex_encoding('iso-8859-11') +#1 {main} + thrown in %s on line %d diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 06f65f5c567..0734011f9fb 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname) if (mbctype == ONIG_ENCODING_UNDEF) { return FAILURE; } + const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname); + if (mbfl_enc == NULL) { + /* Encoding supported by Oniguruma but not by mbfl */ + return FAILURE; + } MBREX(current_mbctype) = mbctype; - MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname); + MBREX(current_mbctype_mbfl_encoding) = mbfl_enc; return SUCCESS; } /* }}} */ -- 2.54.0