From f91bcf961ac15eacabf33f86f62c17dbec4a39ab Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 2/6] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
 header parsing failure with SOAP_PERSISTENCE_SESSION

Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261

(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b)
(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022)
(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1)

adapt test for 7.2
---
 ext/soap/soap.c                         | 12 ++++-
 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 60 +++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt

diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 4cf0323a0a..6ffd7cdd35 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1824,13 +1824,21 @@ PHP_METHOD(SoapServer, handle)
 					php_output_discard();
 					soap_server_fault_ex(function, &h->retval, h);
 					efree(fn_name);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				} else if (EG(exception)) {
 					php_output_discard();
 					_soap_server_exception(service, function, getThis());
 					efree(fn_name);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				}
 			} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 0000000000..6e4e9e75fb
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,60 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+    public function return()  {
+        return new SoapFault('Server', 'denied');
+    }
+    public function throw()  {
+        throw new SoapFault('Server', 'denied');
+    }
+    public function hello() {
+        return 'ok';
+    }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$x = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+    <soap:Header>
+        <a:return/>
+    </soap:Header>
+    <soap:Body>
+        <a:hello/>
+    </soap:Body>
+</soap:Envelope>
+XML;
+$srv->handle($x);
+
+$x = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+    <soap:Header>
+        <a:throw/>
+    </soap:Header>
+    <soap:Body>
+        <a:hello/>
+    </soap:Body>
+</soap:Envelope>
+XML;
+$srv->handle($x);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-- 
2.54.0