From 79a054eae016c56409432e69aebc8ca908a88838 Mon Sep 17 00:00:00 2001
From: vi3tL0u1s <luuviethoang.attt@gmail.com>
Date: Sun, 3 May 2026 20:02:21 +0200
Subject: [PATCH] GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer dereference
 in php_mb_check_encoding() via mb_ereg_search_init()

Fixes GHSA-wm6j-2649-pv75
Fixes CVE-2026-7259
---
 Zend/tests/GHSA-wm6j-2649-pv75.phpt | 22 ++++++++++++++++++++++
 ext/mbstring/php_mbregex.c          |  7 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/GHSA-wm6j-2649-pv75.phpt

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 99dc91e34dca..08195e1765ec 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
 	if (mbctype == ONIG_ENCODING_UNDEF) {
 		return FAILURE;
 	}
+	const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
+	if (mbfl_enc == NULL) {
+		/* Encoding supported by Oniguruma but not by mbfl */
+		return FAILURE;
+	}
 	MBREX(current_mbctype) = mbctype;
-	MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
+	MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
 	return SUCCESS;
 }
 /* }}} */