Fix GH-17941: Stack-use-after-return with lazy objects and hooks

zend_std_write_property() can return the variable pointer, but the code
was using a local variable, and so a pointer to a local variable could
be returned. Fix this by using the value pointer instead of the backup
value was written.
This can be more efficient on master by using the safe_assign helper.

Closes GH-17947.

Author: nielsdos

NEWS

@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     child class). (ilutov)
   . Fixed bug GH-17913 (ReflectionFunction::isDeprecated() returns incorrect
     results for closures created from magic __call()). (timwolla)
+  . Fixed bug GH-17941 (Stack-use-after-return with lazy objects and hooks).
+    (nielsdos)
 
 - DOM:
   . Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos)

Zend/tests/lazy_objects/gh17941.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-17941 (Stack-use-after-return with lazy objects and hooks)
+--FILE--
+<?php
+
+class SubClass {
+    public $prop {get => $this->prop; set($x) => $this->prop = $x;}
+}
+
+$rc = new ReflectionClass(SubClass::class);
+$obj = $rc->newLazyProxy(function ($object) {
+    echo "init\n";
+    return new SubClass;
+});
+
+function foo(SubClass $x) {
+    $x->prop = 1;
+    var_dump($x->prop);
+}
+
+foo($obj);
+
+?>
+--EXPECT--
+init
+int(1)

Zend/zend_object_handlers.c

@@ -1198,6 +1198,11 @@ lazy_init:;
 
 	variable_ptr = zend_std_write_property(zobj, name, &backup, cache_slot);
 	zval_ptr_dtor(&backup);
+
+	if (variable_ptr == &backup) {
+		variable_ptr = value;
+	}
+
 	return variable_ptr;
 }
 /* }}} */