GHSA-wm6j-2649-pv75: [mbstring] Fix null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

Fixes GHSA-wm6j-2649-pv75
Fixes CVE-2026-7259

Author: vi3tL0u1s

Zend/tests/GHSA-wm6j-2649-pv75.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GHSA-wm6j-2649-pv75: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
+--CREDITS--
+vi3tL0u1s
+--EXTENSIONS--
+mbstring
+--SKIPIF--
+<?php
+if (!function_exists('mb_regex_encoding')) die('skip No mbregex support');
+?>
+--FILE--
+<?php
+// iso-8859-11 is supported by Oniguruma but not by mbfl
+mb_regex_encoding('iso-8859-11');
+mb_ereg_search_init('x');
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: mb_regex_encoding(): Argument #1 ($encoding) must be a valid encoding, "iso-8859-11" given in %s:%d
+Stack trace:
+#0 %s(%d): mb_regex_encoding('iso-8859-11')
+#1 {main}
+  thrown in %s on line %d

ext/mbstring/php_mbregex.c

@@ -409,8 +409,13 @@ int php_mb_regex_set_mbctype(const char *encname)
 	if (mbctype == ONIG_ENCODING_UNDEF) {
 		return FAILURE;
 	}
+	const mbfl_encoding *mbfl_enc = mbfl_name2encoding(encname);
+	if (mbfl_enc == NULL) {
+		/* Encoding supported by Oniguruma but not by mbfl */
+		return FAILURE;
+	}
 	MBREX(current_mbctype) = mbctype;
-	MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname);
+	MBREX(current_mbctype_mbfl_encoding) = mbfl_enc;
 	return SUCCESS;
 }
 /* }}} */