php/php-cve-2026-7262.patch

From b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 3/9] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
 NULL check

Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262

(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
---
 ext/soap/php_encoding.c                 |  2 +-
 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 088d0086472..9fb65cfb3f0 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2706,7 +2706,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
 			}
 
 			xmlValue = get_node(item->children, "value");
-			if (!xmlKey) {
+			if (!xmlValue) {
 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
 			}
 
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 00000000000..e46ab2e4607
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:apache="http://xml.apache.org/xml-soap">
+
+    <soap:Body>
+        <test>
+            <map xsi:type="apache:Map">
+                <item><key>hello</key></item>
+            </map>
+        </test>
+    </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+    'uri' => 'urn:test',
+    'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-- 
2.54.0