Handle value being unset during dep

Author: Girgias

Zend/tests/offsets/null_offset_unset_via_error_handler.phpt

@@ -0,0 +1,19 @@
+--TEST--
+No UAF on null offset deprecation with unset value
+--FILE--
+<?php
+set_error_handler(function ($errno, $errstr) {
+    var_dump($errstr);
+    global $a;
+    unset($a);
+});
+
+$a = new stdClass;
+$b = [0, null => $a];
+
+echo "\nSuccess\n";
+?>
+--EXPECTF--
+string(72) "Using null as an array offset is deprecated, use an empty string instead"
+
+Success

Zend/zend_vm_def.h

@@ -6279,7 +6279,16 @@ ZEND_VM_C_LABEL(num_index):
 			offset = Z_REFVAL_P(offset);
 			ZEND_VM_C_GOTO(add_again);
 		} else if (UNEXPECTED(Z_TYPE_P(offset) == IS_NULL)) {
+			zval tmp;
+			if (OP1_TYPE == IS_CV || OP1_TYPE == IS_VAR) {
+				ZVAL_COPY(&tmp, expr_ptr);
+			}
 			zend_error(E_DEPRECATED, "Using null as an array offset is deprecated, use an empty string instead");
+			if (OP1_TYPE == IS_CV || OP1_TYPE == IS_VAR) {
+				/* A userland error handler can do funky things to the expression, so reset it */
+				zval_ptr_dtor(expr_ptr);
+				ZVAL_COPY_VALUE(expr_ptr, &tmp);
+			}
 			if (UNEXPECTED(EG(exception))) {
 				zval_ptr_dtor_nogc(expr_ptr);
 				HANDLE_EXCEPTION();