diff --git a/NEWS b/NEWS
index 3ec3f8c096d..5070f818aca 100644
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,10 @@ PHP                                                                        NEWS
   . Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
     (Girgias)
 
+- SPL:
+  . Fixed bug GH-20614 (SplFixedArray incorrectly handles references
+    in deserialization). (ndossche)
+
 - Standard:
   . Fix memory leak in array_diff() with custom type checks. (ndossche)
   . Fixed bug GH-20583 (Stack overflow in http_build_query
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 49eb8841de1..53dba1b727c 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -652,7 +652,7 @@ PHP_METHOD(SplFixedArray, __unserialize)
 		intern->array.size = 0;
 		ZEND_HASH_FOREACH_STR_KEY_VAL(data, key, elem) {
 			if (key == NULL) {
-				ZVAL_COPY(&intern->array.elements[intern->array.size], elem);
+				ZVAL_COPY_DEREF(&intern->array.elements[intern->array.size], elem);
 				intern->array.size++;
 			} else {
 				Z_TRY_ADDREF_P(elem);
@@ -833,7 +833,7 @@ PHP_METHOD(SplFixedArray, offsetGet)
 	value = spl_fixedarray_object_read_dimension_helper(intern, zindex);
 
 	if (value) {
-		RETURN_COPY_DEREF(value);
+		RETURN_COPY(value);
 	} else {
 		RETURN_NULL();
 	}
diff --git a/ext/spl/tests/gh20614.phpt b/ext/spl/tests/gh20614.phpt
new file mode 100644
index 00000000000..c13630d7646
--- /dev/null
+++ b/ext/spl/tests/gh20614.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-20614 (SplFixedArray incorrectly handles references in deserialization)
+--FILE--
+<?php
+
+$fa = new SplFixedArray(0);
+$nr = 1;
+$array = [&$nr];
+$fa->__unserialize($array);
+var_dump($fa);
+unset($fa[0]);
+var_dump($fa);
+
+?>
+--EXPECT--
+object(SplFixedArray)#1 (1) {
+  [0]=>
+  int(1)
+}
+object(SplFixedArray)#1 (1) {
+  [0]=>
+  NULL
+}