Fix bugs in SplFixedArray unserialization

A typed property of an object properties table is an indirect pointer (IS_IND)
to a typed reference (IS_REF). Neither of those should be in the backing array
after unserializing an SplFixedArray (see SplFixedArray::fromArray()).

I missed this initially when reviewing phpGH-9354

Author: TysonAndre

ext/spl/spl_fixedarray.c

@@ -576,8 +576,8 @@ PHP_METHOD(SplFixedArray, __wakeup)
 
 		spl_fixedarray_init(&intern->array, size);
 
-		ZEND_HASH_FOREACH_VAL(intern_ht, data) {
-			ZVAL_COPY(&intern->array.elements[index], data);
+		ZEND_HASH_FOREACH_VAL_IND(intern_ht, data) {
+			ZVAL_COPY_DEREF(&intern->array.elements[index], data);
 			index++;
 		} ZEND_HASH_FOREACH_END();
 
@@ -640,7 +640,7 @@ PHP_METHOD(SplFixedArray, __unserialize)
 		intern->array.size = 0;
 		ZEND_HASH_FOREACH_STR_KEY_VAL(data, key, elem) {
 			if (key == NULL) {
-				ZVAL_COPY(&intern->array.elements[intern->array.size], elem);
+				ZVAL_COPY_DEREF(&intern->array.elements[intern->array.size], elem);
 				intern->array.size++;
 			} else {
 				Z_TRY_ADDREF_P(elem);

ext/spl/tests/fixedarray_025.phpt

@@ -0,0 +1,33 @@
+--TEST--
+SPL: FixedArray: __wakeup
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class MyFixedArray extends SplFixedArray {
+    public stdClass $x;
+    public $y;
+}
+$a = new MyFixedArray();
+$a->x = new stdClass();
+$y = new ArrayObject();
+$a->y = &$y;
+$a->z = new stdClass();
+$x = &$a->x;
+$a->__wakeup();
+var_dump($a);
+?>
+--EXPECTF--
+object(MyFixedArray)#%d (3) {
+  [0]=>
+  object(stdClass)#%d (0) {
+  }
+  [1]=>
+  object(ArrayObject)#%d (1) {
+    ["storage":"ArrayObject":private]=>
+    array(0) {
+    }
+  }
+  [2]=>
+  object(stdClass)#%d (0) {
+  }
+}