Commit 4188c3ee2c0 for php.net

commit 4188c3ee2c0c3fe8d117e11b8963ac5c955f243e
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date:   Tue Feb 3 13:55:49 2026 +0100

    Fix missing deref in zend_fe_fetch_object_helper (GH-21116)

    Fixes OSS-Fuzz #481017027
    Introduced in GH-20628

diff --git a/Zend/tests/oss-fuzz-481017027.phpt b/Zend/tests/oss-fuzz-481017027.phpt
new file mode 100644
index 00000000000..472133cfe84
--- /dev/null
+++ b/Zend/tests/oss-fuzz-481017027.phpt
@@ -0,0 +1,23 @@
+--TEST--
+OSS-Fuzz #481017027: Missing zend_fe_fetch_object_helper deref
+--FILE--
+<?php
+
+class C {
+    public $y;
+}
+
+function test($obj, $name) {
+    foreach ($obj as $$name) {
+        var_dump($$name);
+    }
+}
+
+$y = 42;
+$obj = new C;
+$obj->y = &$y;
+test($obj, '');
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 7723650cb1c..6551ce23e27 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7183,6 +7183,10 @@ ZEND_VM_C_LABEL(fe_fetch_r_exit):
 		zval *variable_ptr = EX_VAR(opline->op2.var);
 		zend_assign_to_variable(variable_ptr, value, IS_CV, EX_USES_STRICT_TYPES());
 	} else {
+		if (UNEXPECTED(Z_ISREF_P(value))) {
+			value = Z_REFVAL_P(value);
+			value_type = Z_TYPE_INFO_P(value);
+		}
 		zval *res = EX_VAR(opline->op2.var);
 		zend_refcounted *gc = Z_COUNTED_P(value);

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 4745b2a2652..07588c0e769 100644
Binary files a/Zend/zend_vm_execute.h and b/Zend/zend_vm_execute.h differ