From 07ceadf7d9bcb398fd3b3befa9fdf0df3a96dc8d Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Thu, 6 Mar 2025 22:26:34 +0000
Subject: [PATCH] Fix GH-17984: gd calls with array arguments.

close GH-17985
---
 NEWS                      |  2 ++
 ext/gd/gd.c               |  8 +++----
 ext/gd/tests/gh17984.phpt | 44 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 ext/gd/tests/gh17984.phpt

diff --git a/NEWS b/NEWS
index 352dce95e7a..d72d262bbc4 100644
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,8 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
     (David Carlier)
+  . Fixed bug GH-17984 (calls with arguments as array with references).
+    (David Carlier)
 
 - LDAP:
   . Fixed bug GH-17704 (ldap_search fails when $attributes contains a
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 847e0835bad..2585923edcc 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -3417,7 +3417,7 @@ PHP_FUNCTION(imageconvolution)
 	}
 
 	for (i=0; i<3; i++) {
-		if ((var = zend_hash_index_find(Z_ARRVAL_P(hash_matrix), (i))) != NULL && Z_TYPE_P(var) == IS_ARRAY) {
+		if ((var = zend_hash_index_find_deref(Z_ARRVAL_P(hash_matrix), (i))) != NULL && Z_TYPE_P(var) == IS_ARRAY) {
 			if (zend_hash_num_elements(Z_ARRVAL_P(var)) != 3 ) {
 				zend_argument_value_error(2, "must be a 3x3 array, matrix[%d] only has %d elements", i, zend_hash_num_elements(Z_ARRVAL_P(var)));
 				RETURN_THROWS();
@@ -3697,7 +3697,7 @@ PHP_FUNCTION(imageaffine)
 	}
 
 	for (i = 0; i < nelems; i++) {
-		if ((zval_affine_elem = zend_hash_index_find(Z_ARRVAL_P(z_affine), i)) != NULL) {
+		if ((zval_affine_elem = zend_hash_index_find_deref(Z_ARRVAL_P(z_affine), i)) != NULL) {
 			switch (Z_TYPE_P(zval_affine_elem)) {
 				case IS_LONG:
 					affine[i] = Z_LVAL_P(zval_affine_elem);
@@ -3873,7 +3873,7 @@ PHP_FUNCTION(imageaffinematrixconcat)
 	}
 
 	for (i = 0; i < 6; i++) {
-		if ((tmp = zend_hash_index_find(Z_ARRVAL_P(z_m1), i)) != NULL) {
+		if ((tmp = zend_hash_index_find_deref(Z_ARRVAL_P(z_m1), i)) != NULL) {
 			switch (Z_TYPE_P(tmp)) {
 				case IS_LONG:
 					m1[i]  = Z_LVAL_P(tmp);
@@ -3890,7 +3890,7 @@ PHP_FUNCTION(imageaffinematrixconcat)
 			}
 		}
 
-		if ((tmp = zend_hash_index_find(Z_ARRVAL_P(z_m2), i)) != NULL) {
+		if ((tmp = zend_hash_index_find_deref(Z_ARRVAL_P(z_m2), i)) != NULL) {
 			switch (Z_TYPE_P(tmp)) {
 				case IS_LONG:
 					m2[i]  = Z_LVAL_P(tmp);
diff --git a/ext/gd/tests/gh17984.phpt b/ext/gd/tests/gh17984.phpt
new file mode 100644
index 00000000000..c46c455799e
--- /dev/null
+++ b/ext/gd/tests/gh17984.phpt
@@ -0,0 +1,44 @@
+--TEST--
+GH-17984: array of references handling
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$a = 45;
+$matrix = [&$a, 1, 3, 1, 5, 1];
+$subarray = [&$a, 0, 0];
+$matrix3 = array([0, 0, 0] , &$subarray, [0, 0, 0]);
+$src = imagecreatetruecolor(8, 8);
+var_dump(imageaffine($src, $matrix));
+var_dump(imageaffinematrixconcat($matrix, $matrix));
+var_dump(imageconvolution($src, $matrix3, 1.0, 0.0));
+$poly = imagecolorallocate($src, 255, 0, 0);
+var_dump(imagepolygon($src, array (
+        &$a,   0,
+        100, 200,
+        300, 200
+    ),
+    $poly));
+$style = [&$a, &$a];
+var_dump(imagesetstyle($src, $style)); 
+?>
+--EXPECT--
+object(GdImage)#2 (0) {
+}
+array(6) {
+  [0]=>
+  float(2028)
+  [1]=>
+  float(46)
+  [2]=>
+  float(138)
+  [3]=>
+  float(4)
+  [4]=>
+  float(233)
+  [5]=>
+  float(7)
+}
+bool(true)
+bool(true)
+bool(true)