Null pointer dereference in mb_ereg_search_getregs() after mb_eregi() invalidates regex cache

[vi3tL0u1s]

Description

The following code:

<?php
mb_ereg_search_init("a", "a");
mb_ereg_search_pos();
mb_eregi("a", "a");
mb_ereg_search_getregs();

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==PID==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x... bp 0x... sp 0x... T0)
==PID==The signal is caused by a READ memory access.
==PID==Hint: address points to the zero page.
    #0 in onig_number_of_names (/lib/x86_64-linux-gnu/libonig.so.5)
    #1 in zif_mb_ereg_search_getregs ext/mbstring/php_mbregex.c:1532
    #2 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER Zend/zend_vm_execute.h:1355
    #3 in execute_ex Zend/zend_vm_execute.h:116469
    #4 in zend_execute Zend/zend_vm_execute.h:121962
    #5 in zend_execute_script Zend/zend.c:1980
    #6 in php_execute_script_ex main/main.c:2645
    #7 in php_execute_script main/main.c:2685
    #8 in do_cli sapi/cli/php_cli.c:951
    #9 in main sapi/cli/php_cli.c:1362

SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libonig.so.5) in onig_number_of_names

Commit:

5f367b8a011b6d9d2ddac08f6ff6ad0dcd39a0c2

Build configuration:

./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib

PHP Version

PHP 8.6.0-dev (cli) (built: Jan 26 2026 00:15:37) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies

Operating System

Ubuntu 22.04