Fix missing deref in zend_fe_fetch_object_helper

iluuu1994 · iluuu1994 · commit df0e151266b1 · 2026-02-03T01:50:11.000+01:00
Fixes OSS-Fuzz #481017027 Introduced in GH-20628
diff --git a/Zend/tests/oss-fuzz-481017027.phpt b/Zend/tests/oss-fuzz-481017027.phpt
@@ -0,0 +1,23 @@
+--TEST--
+OSS-Fuzz #481017027: Missing zend_fe_fetch_object_helper deref
+--FILE--
+<?php
+
+class C {
+    public $y;
+}
+
+function test($obj, $name) {
+    foreach ($obj as $$name) {
+        var_dump($$name);
+    }
+}
+
+$y = 42;
+$obj = new C;
+$obj->y = &$y;
+test($obj, '');
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -7183,6 +7183,10 @@ ZEND_VM_C_LABEL(fe_fetch_r_exit):
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
