From c376f9943fd1146a8468b81c206e39cef07a9257 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 12 Nov 2023 18:43:35 +0100
Subject: [PATCH] Fix GH-12655: proc_open() does not take into account
 references in the descriptor array

Closes GH-12658.
---
 NEWS                                          |  2 ++
 ext/standard/proc_open.c                      |  1 +
 .../tests/general_functions/gh12655.phpt      | 22 +++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 ext/standard/tests/general_functions/gh12655.phpt

diff --git a/NEWS b/NEWS
index 73fa39d796700..33d604bc45779 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,8 @@ PHP                                                                        NEWS
   . Fix memory leak in syslog device handling. (danog)
   . Fixed bug GH-12621 (browscap segmentation fault when configured in the
     vhost). (nielsdos)
+  . Fixed bug GH-12655 (proc_open() does not take into account references
+    in the descriptor array). (nielsdos)
 
 - SQLite3:
   . Fixed bug GH-12633 (sqlite3_defensive.phpt fails with sqlite 3.44.0).
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index a57e66bd97954..3f8eaafd6d281 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -1096,6 +1096,7 @@ PHP_FUNCTION(proc_open)
 
 		descriptors[ndesc].index = (int)nindex;
 
+		ZVAL_DEREF(descitem);
 		if (Z_TYPE_P(descitem) == IS_RESOURCE) {
 			if (set_proc_descriptor_from_resource(descitem, &descriptors[ndesc], ndesc) == FAILURE) {
 				goto exit_fail;
diff --git a/ext/standard/tests/general_functions/gh12655.phpt b/ext/standard/tests/general_functions/gh12655.phpt
new file mode 100644
index 0000000000000..c0235ee6ae6fb
--- /dev/null
+++ b/ext/standard/tests/general_functions/gh12655.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-12655 (proc_open(): Argument #2 ($descriptor_spec) must only contain arrays and streams [Descriptor item must be either an array or a File-Handle])
+--FILE--
+<?php
+
+$descriptor_spec = [
+    0 => [ "pipe", "r" ],  // stdin is a pipe that the child will read from
+    1 => [ "pipe", "w" ],  // stdout is a pipe that the child will write to
+    2 => [ "pipe", "w" ],  // stderr is a file to write to
+];
+
+foreach ( $descriptor_spec as $fd => &$d )
+{
+    // don't do anything, just the fact that we used "&$d" will sink the ship!
+}
+
+$proc = proc_open(PHP_BINARY, $descriptor_spec, $pipes);
+echo $proc === false ? "FAILED\n" : "SUCCEEDED\n";
+
+?>
+--EXPECT--
+SUCCEEDED