Handle all known cases

Post increments are converted to pre increments if no return value is used.
Ditto for decrement

Author: Girgias

Zend/tests/in-de-crement/oss-fuzz-61469_binop_dynamic_property_unset_error_handler.phpt

@@ -0,0 +1,16 @@
+--TEST--
+OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler
+--FILE--
+<?php
+class C {
+    function errorHandle() {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandle']);
+$c->a += 5;
+var_dump($c->a);
+?>
+--EXPECT--
+NULL

Zend/tests/in-de-crement/oss-fuzz-61469_postdec_dynamic_property_unset_error_handler.phpt

@@ -0,0 +1,19 @@
+--TEST--
+OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler
+--FILE--
+<?php
+class C {
+    function errorHandle() {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandle']);
+
+$v = ($c->a--);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+NULL
+NULL

Zend/tests/in-de-crement/oss-fuzz-61469_postinc_dynamic_property_unset_error_handler.phpt

@@ -0,0 +1,19 @@
+--TEST--
+OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler
+--FILE--
+<?php
+class C {
+    function errorHandle() {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandle']);
+
+$v = ($c->a--);
+var_dump($c->a);
+var_dump($v);
+?>
+--EXPECT--
+NULL
+NULL

Zend/tests/in-de-crement/oss-fuzz-61469_inc_dec_dynamic_property_unset_error_handler.phpt renamed to Zend/tests/in-de-crement/oss-fuzz-61469_predec_dynamic_property_unset_error_handler.phpt

@@ -9,21 +9,8 @@ class C {
 }
 $c = new C;
 set_error_handler([$c,'errorHandle']);
-
-($c->a++);
-var_dump($c->a);
-
-($c->a--);
-var_dump($c->a);
-
-(++$c->a);
-var_dump($c->a);
-
 (--$c->a);
 var_dump($c->a);
 ?>
 --EXPECT--
 NULL
-NULL
-NULL
-NULL

Zend/tests/in-de-crement/oss-fuzz-61469_preinc_dynamic_property_unset_error_handler.phpt

@@ -0,0 +1,16 @@
+--TEST--
+OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler
+--FILE--
+<?php
+class C {
+    function errorHandle() {
+        unset($this->a);
+    }
+}
+$c = new C;
+set_error_handler([$c,'errorHandle']);
+(++$c->a);
+var_dump($c->a);
+?>
+--EXPECT--
+NULL

Zend/zend_vm_def.h

@@ -1059,6 +1059,11 @@ ZEND_VM_C_LABEL(assign_op_object):
 				zval *orig_zptr = zptr;
 				zend_reference *ref;
 
+				/* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic
+				 * (e.g. undefined property warning) and the property is unset in the error handler */
+				if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) {
+					ZVAL_NULL(zptr);
+				}
 				do {
 					if (UNEXPECTED(Z_ISREF_P(zptr))) {
 						ref = Z_REF_P(zptr);
@@ -1404,6 +1409,11 @@ ZEND_VM_C_LABEL(post_incdec_object):
 			if (UNEXPECTED(Z_ISERROR_P(zptr))) {
 				ZVAL_NULL(EX_VAR(opline->result.var));
 			} else {
+				/* This case can ***ONLY*** happen if get_property_ptr_ptr emits a diagnostic
+				 * (e.g. undefined property warning) and the property is unset in the error handler */
+				if (UNEXPECTED(Z_TYPE_P(zptr) == IS_UNDEF)) {
+					ZVAL_NULL(zptr);
+				}
 				if (OP2_TYPE == IS_CONST) {
 					prop_info = (zend_property_info*)CACHED_PTR_EX(cache_slot + 2);
 				} else {