From 6a138b19743ba600ba37f70b07527794bde48bb6 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 4 Mar 2026 10:31:18 +0100
Subject: [PATCH] Fix incorrect zend_hash_find_ptr() on non-ptr in
 ReflectionProperty::isReadable()

Fixes OSS-Fuzz #489355368
---
 ext/reflection/php_reflection.c              |  4 ++--
 ext/reflection/tests/oss-fuzz-489355368.phpt | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 ext/reflection/tests/oss-fuzz-489355368.phpt

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 2a9b4776350bc..587bca11522b2 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -6676,7 +6676,7 @@ ZEND_METHOD(ReflectionProperty, isReadable)
 
 	zend_class_entry *ce = obj ? obj->ce : intern->ce;
 	if (!prop) {
-		if (obj && obj->properties && zend_hash_find_ptr(obj->properties, ref->unmangled_name)) {
+		if (obj && obj->properties && zend_hash_find(obj->properties, ref->unmangled_name)) {
 			RETURN_TRUE;
 		}
 handle_magic_get:
@@ -6701,7 +6701,7 @@ ZEND_METHOD(ReflectionProperty, isReadable)
 			if (!obj) {
 				RETURN_THROWS();
 			}
-			if (obj->properties && zend_hash_find_ptr(obj->properties, ref->unmangled_name)) {
+			if (obj->properties && zend_hash_find(obj->properties, ref->unmangled_name)) {
 				RETURN_TRUE;
 			}
 		}
diff --git a/ext/reflection/tests/oss-fuzz-489355368.phpt b/ext/reflection/tests/oss-fuzz-489355368.phpt
new file mode 100644
index 0000000000000..1885f33476d4a
--- /dev/null
+++ b/ext/reflection/tests/oss-fuzz-489355368.phpt
@@ -0,0 +1,17 @@
+--TEST--
+OSS-Fuzz #489355368: Incorrect assumption Z_PTR_P assumption
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class A {}
+
+$obj = new A;
+$obj->prop = 0;
+
+$rp = new ReflectionProperty($obj, 'prop');
+var_dump($rp->isReadable(null, $obj));
+
+?>
+--EXPECT--
+bool(true)