From fd7d8bcc5c319478cc64c8992fc8d9148ec804b5 Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Fri, 9 Jan 2026 11:02:07 +0530
Subject: [PATCH 1/7] Fixed _get_zval_ptr_tmp: Assertion error

---
 Zend/zend_operators.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 2550fcbeb1cde..ea4455ee87ea4 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -324,6 +324,7 @@ static zend_never_inline zval* ZEND_FASTCALL _zendi_convert_scalar_to_number_sil
 
 static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_number(zval *op, zval *holder) /* {{{ */
 {
+try_again:
 	switch (Z_TYPE_P(op)) {
 		case IS_NULL:
 		case IS_FALSE:
@@ -359,6 +360,9 @@ static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_
 		case IS_RESOURCE:
 		case IS_ARRAY:
 			return FAILURE;
+		case IS_REFERENCE:
+			op = Z_REFVAL_P(op);
+			goto try_again;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
 }

From 39bf7ede305c1f05c3665d544094a4e76ac9bae6 Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Fri, 9 Jan 2026 17:43:27 +0530
Subject: [PATCH 2/7] ext/reflection: fix bug 20873 - cannot assign by
 reference to overloaded object

---
 Zend/zend_execute.c                |  9 +++++++
 ext/reflection/tests/bug20873.phpt | 40 ++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 ext/reflection/tests/bug20873.phpt

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 518cbb98fc0f8..77ee548d07a98 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3624,6 +3624,15 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			ZVAL_ERROR(result);
 			goto end;
 		}
+		if (UNEXPECTED(!Z_REFCOUNTED_P(ptr) && !Z_ISREF_P(ptr) && Z_TYPE_P(ptr) != IS_INDIRECT )) {
+			if (Z_TYPE_P(ptr) == IS_FALSE) {
+				ZVAL_FALSE(result);
+			} 
+			if (Z_TYPE_P(ptr) == IS_NULL) {
+				ZVAL_NULL(result);
+			} 
+			goto end;
+		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
diff --git a/ext/reflection/tests/bug20873.phpt b/ext/reflection/tests/bug20873.phpt
new file mode 100644
index 0000000000000..8d1ca5bc22079
--- /dev/null
+++ b/ext/reflection/tests/bug20873.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Lazy proxy with __get creating references and arithmetic
+--FILE--
+<?php
+class A {
+    public $_;
+
+    public function __get($n) {
+        global $obj;
+
+        // Create a reference to an uninitialized property
+        $obj->x =& $this->_;
+
+        // Static self-reference (edge case)
+        static $a = $a;
+
+        // Arithmetic on reference
+        $e =& $this->_ - $a;
+    }
+}
+
+$rc = new ReflectionClass(A::class);
+$obj = $rc->newLazyProxy(fn() => new A);
+$rc->initializeLazyObject($obj);
+
+var_dump($obj->p);
+?>
+--EXPECTF--
+Deprecated: Creation of dynamic property A::$x is deprecated in %s on line %d
+
+Warning: Undefined property: A::$x in %s on line %d
+
+Fatal error: Uncaught Error: Cannot assign by reference to overloaded object in %s:%d
+Stack trace:
+#0 %s(9): A->__get('x')
+#1 %s(23): A->__get('p')
+#2 {main}
+  thrown in %s on line %d
+
+

From d32338e8aad82fed5187a41492a213b8d7ed452e Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Fri, 9 Jan 2026 17:46:16 +0530
Subject: [PATCH 3/7] ext/reflection: fix bug 20873 - cannot assign by
 reference to overloaded object

---
 ext/reflection/tests/bug20873.phpt | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/ext/reflection/tests/bug20873.phpt b/ext/reflection/tests/bug20873.phpt
index 8d1ca5bc22079..025abaee3608a 100644
--- a/ext/reflection/tests/bug20873.phpt
+++ b/ext/reflection/tests/bug20873.phpt
@@ -4,25 +4,16 @@ Lazy proxy with __get creating references and arithmetic
 <?php
 class A {
     public $_;
-
     public function __get($n) {
         global $obj;
-
-        // Create a reference to an uninitialized property
         $obj->x =& $this->_;
-
-        // Static self-reference (edge case)
         static $a = $a;
-
-        // Arithmetic on reference
         $e =& $this->_ - $a;
     }
 }
-
 $rc = new ReflectionClass(A::class);
 $obj = $rc->newLazyProxy(fn() => new A);
 $rc->initializeLazyObject($obj);
-
 var_dump($obj->p);
 ?>
 --EXPECTF--
@@ -32,8 +23,8 @@ Warning: Undefined property: A::$x in %s on line %d
 
 Fatal error: Uncaught Error: Cannot assign by reference to overloaded object in %s:%d
 Stack trace:
-#0 %s(9): A->__get('x')
-#1 %s(23): A->__get('p')
+#0 %s(%d): A->__get('x')
+#1 %s(%d): A->__get('p')
 #2 {main}
   thrown in %s on line %d
 

From 3b635c26e60a54ce24fb41b76ba58392f6bde58d Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Fri, 9 Jan 2026 20:17:25 +0530
Subject: [PATCH 4/7] ext/reflection: fix bug 20873 - cannot assign by
 reference to overloaded object

---
 Zend/zend_execute.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 77ee548d07a98..109bae3580b0b 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3624,20 +3624,14 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			ZVAL_ERROR(result);
 			goto end;
 		}
-		if (UNEXPECTED(!Z_REFCOUNTED_P(ptr) && !Z_ISREF_P(ptr) && Z_TYPE_P(ptr) != IS_INDIRECT )) {
-			if (Z_TYPE_P(ptr) == IS_FALSE) {
-				ZVAL_FALSE(result);
-			} 
-			if (Z_TYPE_P(ptr) == IS_NULL) {
-				ZVAL_NULL(result);
-			} 
+		if (Z_TYPE_P(ptr) == IS_NULL && Z_NEXT_P(ptr) == 0) {
+			ZVAL_NULL(result);
 			goto end;
 		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
 	}
-
 	ZVAL_INDIRECT(result, ptr);
 	flags &= ZEND_FETCH_OBJ_FLAGS;
 	if (flags) {

From 282bdb61b16c51e7361ff10220911a19ef65dc7b Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Fri, 9 Jan 2026 21:38:52 +0530
Subject: [PATCH 5/7] ext/reflection: fix bug 20873 - cannot assign by
 reference to overloaded object

---
 Zend/zend_execute.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 109bae3580b0b..4a5508ac2a1d0 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3624,15 +3624,13 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			ZVAL_ERROR(result);
 			goto end;
 		}
-		if (Z_TYPE_P(ptr) == IS_NULL && Z_NEXT_P(ptr) == 0) {
-			ZVAL_NULL(result);
-			goto end;
-		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
 	}
-	ZVAL_INDIRECT(result, ptr);
+	if (Z_NEXT_P(ptr) != 0 || Z_TYPE_P(ptr) != IS_NULL) {
+		ZVAL_INDIRECT(result, ptr);
+	}
 	flags &= ZEND_FETCH_OBJ_FLAGS;
 	if (flags) {
 		zend_property_info *prop_info = CACHED_PTR_EX(cache_slot + 2);

From 8170d546d222838239b861ab94434743f0d168a2 Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Fri, 9 Jan 2026 21:49:52 +0530
Subject: [PATCH 6/7] ext/reflection: fix bug 20873 - cannot assign by
 reference to overloaded object

---
 Zend/zend_execute.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 4a5508ac2a1d0..109bae3580b0b 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3624,13 +3624,15 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			ZVAL_ERROR(result);
 			goto end;
 		}
+		if (Z_TYPE_P(ptr) == IS_NULL && Z_NEXT_P(ptr) == 0) {
+			ZVAL_NULL(result);
+			goto end;
+		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
 	}
-	if (Z_NEXT_P(ptr) != 0 || Z_TYPE_P(ptr) != IS_NULL) {
-		ZVAL_INDIRECT(result, ptr);
-	}
+	ZVAL_INDIRECT(result, ptr);
 	flags &= ZEND_FETCH_OBJ_FLAGS;
 	if (flags) {
 		zend_property_info *prop_info = CACHED_PTR_EX(cache_slot + 2);

From 842a996a67fa7b4146187457028a390e5f4615cf Mon Sep 17 00:00:00 2001
From: Arshid <arshidkv12@gmail.com>
Date: Sat, 10 Jan 2026 10:43:03 +0530
Subject: [PATCH 7/7] Fix #20875: null pointer in zend_fetch_property_address

---
 Zend/zend_execute.c   | 14 ++++++++++----
 Zend/zend_operators.c |  4 ----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 109bae3580b0b..5409df3b44a76 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3624,14 +3624,20 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 			ZVAL_ERROR(result);
 			goto end;
 		}
-		if (Z_TYPE_P(ptr) == IS_NULL && Z_NEXT_P(ptr) == 0) {
-			ZVAL_NULL(result);
-			goto end;
+
+		if (EXPECTED(Z_TYPE_P(ptr) == IS_NULL)) {
+			zend_property_info *prop_info = CACHED_PTR_EX(cache_slot + 2);
+			
+			if (prop_info == NULL) {
+				ZVAL_NULL(result);
+				goto end;
+			}
 		}
 	} else if (UNEXPECTED(Z_ISERROR_P(ptr))) {
 		ZVAL_ERROR(result);
 		goto end;
 	}
+	
 	ZVAL_INDIRECT(result, ptr);
 	flags &= ZEND_FETCH_OBJ_FLAGS;
 	if (flags) {
@@ -5937,4 +5943,4 @@ ZEND_API zval *zend_get_zval_ptr(const zend_op *opline, int op_type, const znode
 			break;
 	}
 	return ret;
-}
+}
\ No newline at end of file
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index ea4455ee87ea4..2550fcbeb1cde 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -324,7 +324,6 @@ static zend_never_inline zval* ZEND_FASTCALL _zendi_convert_scalar_to_number_sil
 
 static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_number(zval *op, zval *holder) /* {{{ */
 {
-try_again:
 	switch (Z_TYPE_P(op)) {
 		case IS_NULL:
 		case IS_FALSE:
@@ -360,9 +359,6 @@ static zend_never_inline zend_result ZEND_FASTCALL _zendi_try_convert_scalar_to_
 		case IS_RESOURCE:
 		case IS_ARRAY:
 			return FAILURE;
-		case IS_REFERENCE:
-			op = Z_REFVAL_P(op);
-			goto try_again;
 		EMPTY_SWITCH_DEFAULT_CASE()
 	}
 }