e6ee411f95
- Fix XSS within status endpoint CVE-2026-6735 - Fix Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() CVE-2026-7259 - Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722 - Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261 - Fix Broken Apache map value NULL check CVE-2026-7262 - Fix Signed integer overflow of char array offset CVE-2026-7568 - Fix Consistently pass unsigned char to ctype.h functions CVE-2026-7258 Resolves: RHEL-181025
68 lines
2.2 KiB
Diff
68 lines
2.2 KiB
Diff
From 4ed31ebb88b580446f2d70b760c29643fcfa0da5 Mon Sep 17 00:00:00 2001
|
|
From: vi3tL0u1s <luuviethoang.attt@gmail.com>
|
|
Date: Sun, 3 May 2026 20:02:21 +0200
|
|
Subject: [PATCH 05/10] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer
|
|
dereference in php_mb_check_encoding() via mb_ereg_search_init()
|
|
|
|
Fixes GHSA-wm6j-2649-pv75
|
|
Fixes CVE-2026-7259
|
|
|
|
(cherry picked from commit 79a054eae016c56409432e69aebc8ca908a88838)
|
|
(cherry picked from commit 785bcb5dd5980a4f3173ab0b80c70a5602bc9339)
|
|
---
|
|
Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++
|
|
ext/mbstring/php_mbregex.c | 7 ++++++-
|
|
2 files changed, 28 insertions(+), 1 deletion(-)
|
|
create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt
|
|
|
|
diff --git a/Zend/tests/GHSA-wm6j-2649-pv75.phpt b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
|
|
new file mode 100644
|
|
index 0000000000..7257af27cb
|
|
--- /dev/null
|
|
+++ b/Zend/tests/GHSA-wm6j-2649-pv75.phpt
|
|
@@ -0,0 +1,22 @@
|
|
+--TEST--
|
|
+GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
|
|
+--CREDITS--
|
|
+vi3tL0u1s
|
|
+--EXTENSIONS--
|
|
+mbstring
|
|
+--SKIPIF--
|
|
+<?php
|
|
+if (!function_exists('mb_regex_encoding')) die('skip No mbregex support');
|
|
+?>
|
|
+--FILE--
|
|
+<?php
|
|
+// iso-8859-11 is supported by Oniguruma but not by mbfl
|
|
+mb_regex_encoding('iso-8859-11');
|
|
+mb_ereg_search_init('x');
|
|
+?>
|
|
+--EXPECTF--
|
|
+Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
|
|
+Stack trace:
|
|
+#0 %s(%d): mb_regex_encoding('iso-8859-11')
|
|
+#1 {main}
|
|
+ thrown in %s on line %d
|
|
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
|
|
index e87a7c6131..f0216b2a2d 100644
|
|
--- a/ext/mbstring/php_mbregex.c
|
|
+++ b/ext/mbstring/php_mbregex.c
|
|
@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
|
|
if (mbctype == ONIG_ENCODING_UNDEF) {
|
|
return FAILURE;
|
|
}
|
|
+ const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
|
|
+ if (mbfl_enc == NULL) {
|
|
+ /* Encoding supported by Oniguruma but not by mbfl */
|
|
+ return FAILURE;
|
|
+ }
|
|
MBREX(current_mbctype) = mbctype;
|
|
- MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
|
|
+ MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
|
|
return SUCCESS;
|
|
}
|
|
/* }}} */
|
|
--
|
|
2.54.0
|
|
|