Fix missing deref in zend_fe_fetch_object_helper (GH-21116)

Fixes OSS-Fuzz #481017027
Introduced in GH-20628

Zend/tests/oss-fuzz-481017027.phpt

@@ -0,0 +1,23 @@
+--TEST--
+OSS-Fuzz #481017027: Missing zend_fe_fetch_object_helper deref
+--FILE--
+<?php
+
+class C {
+    public $y;
+}
+
+function test($obj, $name) {
+    foreach ($obj as $$name) {
+        var_dump($$name);
+    }
+}
+
+$y = 42;
+$obj = new C;
+$obj->y = &$y;
+test($obj, '');
+
+?>
+--EXPECT--
+int(42)

Zend/zend_vm_def.h

@@ -7183,6 +7183,10 @@ ZEND_VM_C_LABEL(fe_fetch_r_exit):
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);
 

Zend/zend_vm_execute.h

@@ -3106,6 +3106,10 @@ fe_fetch_r_exit:
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);
 
@@ -55764,6 +55768,10 @@ fe_fetch_r_exit:
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);