From f022261cdeddb4ddabdf18745e49de1fabe80d42 Mon Sep 17 00:00:00 2001
From: vi3tL0u1s <luuviethoang.attt@gmail.com>
Date: Mon, 26 Jan 2026 08:57:56 +1100
Subject: [PATCH] Fix mb_ereg_search_getregs() NULL pointer dereference

---
 ext/mbstring/php_mbregex.c                    |  2 +-
 .../gh21036_mb_ereg_search_getregs_null.phpt  | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 ext/mbstring/tests/gh21036_mb_ereg_search_getregs_null.phpt

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 7f7df34d0bf38..06e320028fe56 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1535,7 +1535,7 @@ PHP_FUNCTION(mb_ereg_search_getregs)
 				add_index_bool(return_value, i, 0);
 			}
 		}
-		if (onig_number_of_names(MBREX(search_re)) > 0) {
+		if (MBREX(search_re) != NULL && onig_number_of_names(MBREX(search_re)) > 0) {
 			mb_regex_groups_iter_args args = {
 				return_value,
 				Z_STRVAL(MBREX(search_str)),
diff --git a/ext/mbstring/tests/gh21036_mb_ereg_search_getregs_null.phpt b/ext/mbstring/tests/gh21036_mb_ereg_search_getregs_null.phpt
new file mode 100644
index 0000000000000..e868797ffac1d
--- /dev/null
+++ b/ext/mbstring/tests/gh21036_mb_ereg_search_getregs_null.phpt
@@ -0,0 +1,26 @@
+--TEST--
+GH-21036 (mb_ereg_search_getregs() crash after mb_eregi() invalidates search_re)
+--CREDITS--
+vi3tL0u1s
+--EXTENSIONS--
+mbstring
+--SKIPIF--
+<?php
+if (!function_exists("mb_ereg_search_init")) die("skip mb_ereg_search_init() not available");
+?>
+--FILE--
+<?php
+// mb_eregi() can invalidate MBREX(search_re) via regex cache eviction
+// while MBREX(search_regs) remains valid, causing NULL pointer dereference
+
+mb_ereg_search_init("a", "a");
+mb_ereg_search_pos();
+mb_eregi("a", "a");  // This invalidates search_re
+$result = mb_ereg_search_getregs();  // Should not crash
+var_dump($result);
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(1) "a"
+}