GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value NULL check

Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262

Author: iluuu1994

ext/soap/php_encoding.c

@@ -2783,7 +2783,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
 			}
 
 			xmlValue = get_node(item->children, "value");
-			if (!xmlKey) {
+			if (!xmlValue) {
 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
 			}
 

ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt

@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:apache="http://xml.apache.org/xml-soap">
+
+    <soap:Body>
+        <test>
+            <map xsi:type="apache:Map">
+                <item><key>hello</key></item>
+            </map>
+        </test>
+    </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+    'uri' => 'urn:test',
+    'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>