Fixed bug #80173

The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property returned the original variable_ptr
rather than the zend_assign_to_variable() return value, which will
DEREF the variable before overwriting it.

Author: nikic

NEWS

@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     the process). (Calvin Buckley)
   . Fixed bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri']).
     (cmb)
+  . Fixed bug #80173 (Using return value of zend_assign_to_variable() is not
+    safe). (Nikita)
 
 - Intl:
   . Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).

Zend/tests/write_property_ref_overwrite_return.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Using return of property assignment to reference that destroys object
+--FILE--
+<?php
+
+$a = new stdClass;
+$a->a =& $a;
+var_dump($a->a = 0);
+
+?>
+--EXPECT--
+int(0)

Zend/zend_object_handlers.c

@@ -849,7 +849,8 @@ ZEND_API zval *zend_std_write_property(zval *object, zval *member, zval *value,
 			}
 
 found:
-			zend_assign_to_variable(variable_ptr, value, IS_TMP_VAR, property_uses_strict_types());
+			variable_ptr = zend_assign_to_variable(
+				variable_ptr, value, IS_TMP_VAR, property_uses_strict_types());
 			goto exit;
 		}
 		if (Z_PROP_FLAG_P(variable_ptr) == IS_PROP_UNINIT) {