From 5855bdcd6c83ce272075bdde42af55e423e441fb Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Thu, 20 Apr 2023 10:18:18 +0200
Subject: [PATCH] Fix reference returned from CallbackFilterIterator::accept()

Fixes oss-fuzz #58181
---
 Zend/tests/oss_fuzz_58181.phpt | 14 ++++++++++++++
 ext/spl/spl_iterators.c        |  2 ++
 2 files changed, 16 insertions(+)
 create mode 100644 Zend/tests/oss_fuzz_58181.phpt

diff --git a/Zend/tests/oss_fuzz_58181.phpt b/Zend/tests/oss_fuzz_58181.phpt
new file mode 100644
index 00000000000..36a0ba16d62
--- /dev/null
+++ b/Zend/tests/oss_fuzz_58181.phpt
@@ -0,0 +1,14 @@
+--TEST--
+oss-fuzz #58181: Fix unexpected reference returned from CallbackFilterIterator::accept()
+--FILE--
+<?php
+function test(array $data) {
+    $iterator = new ArrayIterator($data);
+    $iterator = new \CallbackFilterIterator($iterator, fn&() => true);
+    $iterator->rewind();
+}
+
+test(['a', 'b']);
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d
diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
index 9c7ca4e3244..97253cfe932 100644
--- a/ext/spl/spl_iterators.c
+++ b/ext/spl/spl_iterators.c
@@ -1787,6 +1787,8 @@ PHP_METHOD(CallbackFilterIterator, accept)
 
 	if (zend_call_function(fci, fcc) != SUCCESS || Z_ISUNDEF_P(return_value)) {
 		RETURN_FALSE;
+	} else if (Z_ISREF_P(return_value)) {
+		zend_unwrap_reference(return_value);
 	}
 }
 /* }}} */