From 4188c3ee2c0c3fe8d117e11b8963ac5c955f243e Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Tue, 3 Feb 2026 13:55:49 +0100
Subject: [PATCH] Fix missing deref in zend_fe_fetch_object_helper (GH-21116)

Fixes OSS-Fuzz #481017027
Introduced in GH-20628
---
 Zend/tests/oss-fuzz-481017027.phpt | 23 +++++++++++++++++++++++
 Zend/zend_vm_def.h                 |  4 ++++
 Zend/zend_vm_execute.h             |  8 ++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 Zend/tests/oss-fuzz-481017027.phpt

diff --git a/Zend/tests/oss-fuzz-481017027.phpt b/Zend/tests/oss-fuzz-481017027.phpt
new file mode 100644
index 00000000000..472133cfe84
--- /dev/null
+++ b/Zend/tests/oss-fuzz-481017027.phpt
@@ -0,0 +1,23 @@
+--TEST--
+OSS-Fuzz #481017027: Missing zend_fe_fetch_object_helper deref
+--FILE--
+<?php
+
+class C {
+    public $y;
+}
+
+function test($obj, $name) {
+    foreach ($obj as $$name) {
+        var_dump($$name);
+    }
+}
+
+$y = 42;
+$obj = new C;
+$obj->y = &$y;
+test($obj, '');
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 7723650cb1c..6551ce23e27 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7183,6 +7183,10 @@ ZEND_VM_C_LABEL(fe_fetch_r_exit):
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);
 
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 4745b2a2652..07588c0e769 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -3106,6 +3106,10 @@ fe_fetch_r_exit:
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);
 
@@ -55764,6 +55768,10 @@ fe_fetch_r_exit:
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);