Commit 925ba18cbdb for php.net

commit 925ba18cbdb605523852f895e2589649346abea8
Author: Arshid <arshidkv12@gmail.com>
Date:   Thu Jun 25 21:06:51 2026 +0530

    Fix GH-22449: Fix NULL dereference in user_filter_factory_create()   (#22453)

    Fix #22449, a NULL pointer dereference in `user_filter_factory_create()`
    POC:
    ```php
    <?php
    try {
    stream_filter_register("rotator_notWorking", rotate_filter_nw::class);
    class rotate_filter_nw extends php_user_filter
    {
    function filter($in, $out, &$consumed, $closing): int
    {
    $stream = fopen('php://memory', 'w+');
    stream_filter_append($stream, "rotator_notWorking");
    }
    }
    $stream = fopen('php://memory', 'w+');
    stream_filter_append($stream, "rotator_notWorking");
    } catch (\Throwable $_ffl_e) {}
    ```
    Resulted in this output:
    ```
    /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_hash.c:55:7: runtime error: member access within null pointer of type 'const HashTable' (aka 'const struct _zend_array')
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_hash.c:55:7 in
    ```

diff --git a/ext/standard/tests/gh22449.phpt b/ext/standard/tests/gh22449.phpt
new file mode 100644
index 00000000000..94709803aea
--- /dev/null
+++ b/ext/standard/tests/gh22449.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug GH-22449: user_filter_factory_create NULL dereference during shutdown
+--FILE--
+<?php
+
+class rotate_filter_nw extends php_user_filter
+{
+    public function filter($in, $out, &$consumed, $closing): int
+    {
+        $stream = fopen('php://memory', 'w+');
+        stream_filter_append($stream, "rotator_notWorking");
+
+        return PSFS_PASS_ON;
+    }
+}
+
+stream_filter_register("rotator_notWorking", rotate_filter_nw::class);
+
+$stream = fopen('php://memory', 'w+');
+stream_filter_append($stream, "rotator_notWorking");
+
+echo "done\n";
+?>
+--EXPECTF--
+done
+
+Warning: stream_filter_append(): Unable to create or locate filter "rotator_notWorking" in %s on line %d
diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c
index ae4132733be..986bbbd5f4d 100644
--- a/ext/standard/user_filters.c
+++ b/ext/standard/user_filters.c
@@ -337,6 +337,10 @@ static php_stream_filter *user_filter_factory_create(const char *filtername,
 		return NULL;
 	}

+	if (UNEXPECTED(BG(user_filter_map) == NULL)) {
+		return NULL;
+	}
+
 	len = strlen(filtername);

 	/* determine the classname/class entry */