blob: 13393af911dfeb2b2032c7da710c9ee7455d0190 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
From 785bcb5dd5980a4f3173ab0b80c70a5602bc9339 Mon Sep 17 00:00:00 2001
From: vi3tL0u1s <luuviethoang.attt@gmail.com>
Date: Sun, 3 May 2026 20:02:21 +0200
Subject: [PATCH 05/10] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer
dereference in php_mb_check_encoding() via mb_ereg_search_init()
Fixes GHSA-wm6j-2649-pv75
Fixes CVE-2026-7259
(cherry picked from commit 79a054eae016c56409432e69aebc8ca908a88838)
---
Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++
ext/mbstring/php_mbregex.c | 7 ++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt
diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
new file mode 100644
index 00000000000..7257af27cb8
--- /dev/null
+++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
+--CREDITS--
+vi3tL0u1s
+--EXTENSIONS--
+mbstring
+--SKIPIF--
+<?php
+if (!function_exists('mb_regex_encoding')) die('skip No mbregex support');
+?>
+--FILE--
+<?php
+// iso-8859-11 is supported by Oniguruma but not by mbfl
+mb_regex_encoding('iso-8859-11');
+mb_ereg_search_init('x');
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
+Stack trace:
+#0 %s(%d): mb_regex_encoding('iso-8859-11')
+#1 {main}
+ thrown in %s on line %d
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 06f65f5c567..0734011f9fb 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
if (mbctype == ONIG_ENCODING_UNDEF) {
return FAILURE;
}
+ const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
+ if (mbfl_enc == NULL) {
+ /* Encoding supported by Oniguruma but not by mbfl */
+ return FAILURE;
+ }
MBREX(current_mbctype) = mbctype;
- MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
+ MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
return SUCCESS;
}
/* }}} */
--
2.54.0
|
