From 99f5653ebbc6d139d1ad4b60126003ed7d242e29 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 24 Nov 2024 15:55:27 +0100
Subject: [PATCH] Fix GH-16908: _ZendTestMagicCallForward does not handle
 references well

This testing code was never meant to be used this way, but fixing this
will at least stop fuzzers from complaining about this, so might still
be worthwhile.

Closes GH-16919.
---
 ext/zend_test/test.c             |  7 +++++--
 ext/zend_test/tests/gh16908.phpt | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 ext/zend_test/tests/gh16908.phpt

diff --git a/ext/zend_test/test.c b/ext/zend_test/test.c
index 100ef25800f..b6f833c231f 100644
--- a/ext/zend_test/test.c
+++ b/ext/zend_test/test.c
@@ -902,9 +902,12 @@ static ZEND_METHOD(_ZendTestMagicCallForward, __call)
 
 	ZEND_IGNORE_VALUE(arguments);
 
-	zval func;
+	zval func, rv;
 	ZVAL_STR(&func, name);
-	call_user_function(NULL, NULL, &func, return_value, 0, NULL);
+	call_user_function(NULL, NULL, &func, &rv, 0, NULL);
+
+	ZVAL_COPY_DEREF(return_value, &rv);
+	zval_ptr_dtor(&rv);
 }
 
 PHP_INI_BEGIN()
diff --git a/ext/zend_test/tests/gh16908.phpt b/ext/zend_test/tests/gh16908.phpt
new file mode 100644
index 00000000000..670cfa579a8
--- /dev/null
+++ b/ext/zend_test/tests/gh16908.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16908 (_ZendTestMagicCallForward does not handle references well)
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+$cls = new _ZendTestMagicCallForward();
+function &foo() {
+}
+$cls->foo()->x ??= 42;
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d
+
+Notice: Only variable references should be returned by reference in %s on line %d
+
+Fatal error: Uncaught Error: Attempt to assign property "x" on null in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d