From 366ed4c7508af61dd4d0397d758abfc77ffe2b8a Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sat, 29 Nov 2025 12:07:15 +0100
Subject: [PATCH] Fix GH-20614: SplFixedArray incorrectly handles references in
 deserialization

All other code caters to dereferencing array elements, except the
unserialize handler. This causes references to be present in the fixed
array even though this seems not intentional as reference assign is
otherwise impossible.
On 8.5+ this causes an assertion failure. On 8.3+ this causes references
to be present where they shouldn't be.

Closes GH-20616.
---
 NEWS                       |  4 ++++
 ext/spl/spl_fixedarray.c   |  4 ++--
 ext/spl/tests/gh20614.phpt | 23 +++++++++++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/gh20614.phpt

diff --git a/NEWS b/NEWS
index 3ec3f8c096d..5070f818aca 100644
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,10 @@ PHP                                                                        NEWS
   . Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
     (Girgias)
 
+- SPL:
+  . Fixed bug GH-20614 (SplFixedArray incorrectly handles references
+    in deserialization). (ndossche)
+
 - Standard:
   . Fix memory leak in array_diff() with custom type checks. (ndossche)
   . Fixed bug GH-20583 (Stack overflow in http_build_query
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 49eb8841de1..53dba1b727c 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -652,7 +652,7 @@ PHP_METHOD(SplFixedArray, __unserialize)
 		intern->array.size = 0;
 		ZEND_HASH_FOREACH_STR_KEY_VAL(data, key, elem) {
 			if (key == NULL) {
-				ZVAL_COPY(&intern->array.elements[intern->array.size], elem);
+				ZVAL_COPY_DEREF(&intern->array.elements[intern->array.size], elem);
 				intern->array.size++;
 			} else {
 				Z_TRY_ADDREF_P(elem);
@@ -833,7 +833,7 @@ PHP_METHOD(SplFixedArray, offsetGet)
 	value = spl_fixedarray_object_read_dimension_helper(intern, zindex);
 
 	if (value) {
-		RETURN_COPY_DEREF(value);
+		RETURN_COPY(value);
 	} else {
 		RETURN_NULL();
 	}
diff --git a/ext/spl/tests/gh20614.phpt b/ext/spl/tests/gh20614.phpt
new file mode 100644
index 00000000000..c13630d7646
--- /dev/null
+++ b/ext/spl/tests/gh20614.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-20614 (SplFixedArray incorrectly handles references in deserialization)
+--FILE--
+<?php
+
+$fa = new SplFixedArray(0);
+$nr = 1;
+$array = [&$nr];
+$fa->__unserialize($array);
+var_dump($fa);
+unset($fa[0]);
+var_dump($fa);
+
+?>
+--EXPECT--
+object(SplFixedArray)#1 (1) {
+  [0]=>
+  int(1)
+}
+object(SplFixedArray)#1 (1) {
+  [0]=>
+  NULL
+}