Fix segfault when assigning to backing value by-ref from hook

Fixes oss-fuzz #391975641
Closes GH-17620

Author: iluuu1994

NEWS

@@ -11,6 +11,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-17618 (UnhandledMatchError does not take
     zend.exception_ignore_args=1 into account). (timwolla)
   . Fix fallback paths in fast_long_{add,sub}_function. (nielsdos)
+  . Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value
+    by reference). (ilutov)
 
 - DOM:
   . Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of

Zend/tests/oss-fuzz-391975641.phpt

@@ -0,0 +1,22 @@
+--TEST--
+OSS-Fuzz #391975641: Segfault when creating reference from backing value
+--FILE--
+<?php
+
+class C {
+    public $prop {
+        get => $this->prop;
+        set {
+            $this->prop = &$value;
+            $value = &$this->prop;
+        }
+    }
+}
+
+$c = new C;
+$c->prop = 1;
+var_dump($c->prop);
+
+?>
+--EXPECT--
+int(1)

Zend/zend_execute.c

@@ -3490,7 +3490,7 @@ static zend_always_inline void zend_assign_to_property_reference(zval *container
 
 			variable_ptr = zend_wrong_assign_to_variable_reference(
 				variable_ptr, value_ptr, &garbage OPLINE_CC EXECUTE_DATA_CC);
-		} else if (prop_info) {
+		} else if (prop_info && ZEND_TYPE_IS_SET(prop_info->type)) {
 			variable_ptr = zend_assign_to_typed_property_reference(prop_info, variable_ptr, value_ptr, &garbage EXECUTE_DATA_CC);
 		} else {
 			zend_assign_to_variable_reference(variable_ptr, value_ptr, &garbage);