php-cve-2026-7262.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

From b1bc3b191eb9ff6ca90f90572ba8fac016163fe9 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 3/6] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
 NULL check

Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262

(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
(cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33)
(cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115)
(cherry picked from commit c21561700dcfc3304322845c2d3da028c3c73345)
(cherry picked from commit 16c2b25d363d73d72a3139e747cc9d5c8d5bef2b)
---
 ext/soap/php_encoding.c                 |  2 +-
 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 40fba95980a..d88dba76228 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2757,7 +2757,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
 			}
 
 			xmlValue = get_node(item->children, "value");
-			if (!xmlKey) {
+			if (!xmlValue) {
 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
 			}
 
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 00000000000..e46ab2e4607
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:apache="http://xml.apache.org/xml-soap">
+
+    <soap:Body>
+        <test>
+            <map xsi:type="apache:Map">
+                <item><key>hello</key></item>
+            </map>
+        </test>
+    </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+    'uri' => 'urn:test',
+    'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-- 
2.54.0