Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler

Reorder when we assign the property value to NULL which is identical to
a3a3964

Just for the declared property case instead of dynamic.

Author: Girgias

Zend/tests/in-de-crement/oss-fuzz-61865_binop_declared_property_unset_error_handler.phpt

@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$c->a += 5;
+var_dump($c->a);
+?>
+--EXPECT--
+int(5)

Zend/tests/in-de-crement/oss-fuzz-61865_postdec_declared_property_unset_error_handler.phpt

@@ -0,0 +1,20 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$v = ($c->a--);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+NULL
+NULL

Zend/tests/in-de-crement/oss-fuzz-61865_postinc_declared_property_unset_error_handler.phpt

@@ -0,0 +1,20 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+$v = ($c->a++);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+int(1)
+NULL

Zend/tests/in-de-crement/oss-fuzz-61865_predec_declared_property_unset_error_handler.phpt

@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+(--$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+NULL

Zend/tests/in-de-crement/oss-fuzz-61865_preinc_declared_property_unset_error_handler.phpt

@@ -0,0 +1,18 @@
+--TEST--
+OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler
+--FILE--
+<?php
+class C {
+    public $a;
+    function errorHandler($errno, $errstr) {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandler']);
+unset($c->a);
+(++$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+int(1)

Zend/zend_object_handlers.c

@@ -1117,8 +1117,10 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 							ZSTR_VAL(name));
 						retval = &EG(error_zval);
 					} else {
-						ZVAL_NULL(retval);
 						zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
+						/* We set the retval to null AFTER the warning so that an error handler cannot mess
+						 * with the property value... */
+						ZVAL_NULL(retval);
 					}
 				} else if (prop_info && UNEXPECTED(prop_info->flags & ZEND_ACC_READONLY)) {
 					/* Readonly property, delegate to read_property + write_property. */