From aed3e63e282235b32a07ca28cc20728eedfcfec3 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Sat, 25 Apr 2026 00:44:37 +0200 Subject: [PATCH 03/10] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value NULL check Fixes GHSA-hmxp-6pc4-f3vv Fixes CVE-2026-7262 (cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d) --- ext/soap/php_encoding.c | 2 +- ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c index bf394f7ea92..9bd6f50834e 100644 --- a/ext/soap/php_encoding.c +++ b/ext/soap/php_encoding.c @@ -2711,7 +2711,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data) } xmlValue = get_node(item->children, "value"); - if (!xmlKey) { + if (!xmlValue) { soap_error0(E_ERROR, "Encoding: Can't decode apache map, missing value"); } diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt new file mode 100644 index 00000000000..e46ab2e4607 --- /dev/null +++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt @@ -0,0 +1,39 @@ +--TEST-- +GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value +--CREDITS-- +Ilia Alshanetsky (iliaal) +--EXTENSIONS-- +soap +--FILE-- + + + + + + + hello + + + + +XML; + +$server = new SoapServer(null, [ + 'uri' => 'urn:test', + 'typemap' => [['type_name' => 'anything']], +]); +$server->addFunction('test'); +function test($m) { return null; } +$server->handle($request); + +?> +--EXPECT-- + +SOAP-ENV:ServerSOAP-ERROR: Encoding: Can't decode apache map, missing value -- 2.54.0