From 82165959c7425bba222a241edf930640c214c4df Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 29 Jan 2025 12:48:35 +0100
Subject: [PATCH] Fix segfault when assigning to backing value by-ref from hook

Fixes oss-fuzz #391975641
---
 Zend/tests/oss-fuzz-391975641.phpt | 22 ++++++++++++++++++++++
 Zend/zend_execute.c                |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/oss-fuzz-391975641.phpt

diff --git a/Zend/tests/oss-fuzz-391975641.phpt b/Zend/tests/oss-fuzz-391975641.phpt
new file mode 100644
index 0000000000000..586457aeac591
--- /dev/null
+++ b/Zend/tests/oss-fuzz-391975641.phpt
@@ -0,0 +1,22 @@
+--TEST--
+OSS-Fuzz #391975641: Segfault when creating reference from backing value
+--FILE--
+<?php
+
+class C {
+    public $prop {
+        get => $this->prop;
+        set {
+            $this->prop = &$value;
+            $value = &$this->prop;
+        }
+    }
+}
+
+$c = new C;
+$c->prop = 1;
+var_dump($c->prop);
+
+?>
+--EXPECT--
+int(1)
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index e425e6625e4c5..efe4dc2dd24ee 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -3487,7 +3487,7 @@ static zend_always_inline void zend_assign_to_property_reference(zval *container
 
 			variable_ptr = zend_wrong_assign_to_variable_reference(
 				variable_ptr, value_ptr, &garbage OPLINE_CC EXECUTE_DATA_CC);
-		} else if (prop_info) {
+		} else if (prop_info && ZEND_TYPE_IS_SET(prop_info->type)) {
 			variable_ptr = zend_assign_to_typed_property_reference(prop_info, variable_ptr, value_ptr, &garbage EXECUTE_DATA_CC);
 		} else {
 			zend_assign_to_variable_reference(variable_ptr, value_ptr, &garbage);