Dev news

Commit 366ed4c7508 for php.net

commit 366ed4c7508af61dd4d0397d758abfc77ffe2b8a
Author: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date:   Sat Nov 29 12:07:15 2025 +0100

    Fix GH-20614: SplFixedArray incorrectly handles references in deserialization

    All other code caters to dereferencing array elements, except the
    unserialize handler. This causes references to be present in the fixed
    array even though this seems not intentional as reference assign is
    otherwise impossible.
    On 8.5+ this causes an assertion failure. On 8.3+ this causes references
    to be present where they shouldn't be.

    Closes GH-20616.

diff --git a/NEWS b/NEWS
index 3ec3f8c096d..5070f818aca 100644
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,10 @@ PHP                                                                        NEWS
   . Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
     (Girgias)

+- SPL:
+  . Fixed bug GH-20614 (SplFixedArray incorrectly handles references
+    in deserialization). (ndossche)
+
 - Standard:
   . Fix memory leak in array_diff() with custom type checks. (ndossche)
   . Fixed bug GH-20583 (Stack overflow in http_build_query
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 49eb8841de1..53dba1b727c 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -652,7 +652,7 @@ PHP_METHOD(SplFixedArray, __unserialize)
 		intern->array.size = 0;
 		ZEND_HASH_FOREACH_STR_KEY_VAL(data, key, elem) {
 			if (key == NULL) {
-				ZVAL_COPY(&intern->array.elements[intern->array.size], elem);
+				ZVAL_COPY_DEREF(&intern->array.elements[intern->array.size], elem);
 				intern->array.size++;
 			} else {
 				Z_TRY_ADDREF_P(elem);
@@ -833,7 +833,7 @@ PHP_METHOD(SplFixedArray, offsetGet)
 	value = spl_fixedarray_object_read_dimension_helper(intern, zindex);

 	if (value) {
-		RETURN_COPY_DEREF(value);
+		RETURN_COPY(value);
 	} else {
 		RETURN_NULL();
 	}
diff --git a/ext/spl/tests/gh20614.phpt b/ext/spl/tests/gh20614.phpt
new file mode 100644
index 00000000000..c13630d7646
--- /dev/null
+++ b/ext/spl/tests/gh20614.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-20614 (SplFixedArray incorrectly handles references in deserialization)
+--FILE--
+<?php
+
+$fa = new SplFixedArray(0);
+$nr = 1;
+$array = [&$nr];
+$fa->__unserialize($array);
+var_dump($fa);
+unset($fa[0]);
+var_dump($fa);
+
+?>
+--EXPECT--
+object(SplFixedArray)#1 (1) {
+  [0]=>
+  int(1)
+}
+object(SplFixedArray)#1 (1) {
+  [0]=>
+  NULL
+}