Fix leak if error handler changes the value to an allocated value

Author: Girgias

Zend/tests/in-de-crement/unset_property_converted_to_obj_in_error_handler.phpt

@@ -0,0 +1,25 @@
+--TEST--
+Unset declared property converted to object in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler() {
+        $this->a = new stdClass();
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+
+try {
+    (++$c->a);
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+var_dump($c->a);
+?>
+--EXPECT--
+Cannot increment stdClass
+object(stdClass)#2 (0) {
+}

Zend/zend_object_handlers.c

@@ -1117,10 +1117,12 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 							ZSTR_VAL(name));
 						retval = &EG(error_zval);
 					} else {
-						zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
-						/* We set the retval to null AFTER the warning so that an error handler cannot mess
-						 * with the property value... */
 						ZVAL_NULL(retval);
+						zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
+						/* If an error handler unsets the property again just consider it to be NULL again */
+						 if (UNEXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
+							ZVAL_NULL(retval);
+						 }
 					}
 				} else if (prop_info && UNEXPECTED(prop_info->flags & ZEND_ACC_READONLY)) {
 					/* Readonly property, delegate to read_property + write_property. */