Zend: Fix string leak in zend_update_property_string{,l} on write failure

The four zend_update_{,static_}property_string{,l} helpers built a
zval with refcount 0 and called the write path, expecting the
consumer to absorb the only reference. Failure paths (readonly,
asymmetric visibility, type mismatch, magic __set throw) returned
without consuming the value, leaking the zend_string at refcount 0.
Build the zval normally and zval_ptr_dtor it after the write.

Author: iliaal

Zend/zend_API.c

@@ -4984,8 +4984,8 @@ ZEND_API void zend_update_property_string(const zend_class_entry *scope, zend_ob
 	zval tmp;
 
 	ZVAL_STRING(&tmp, value);
-	Z_SET_REFCOUNT(tmp, 0);
 	zend_update_property(scope, object, name, name_length, &tmp);
+	zval_ptr_dtor(&tmp);
 }
 /* }}} */
 
@@ -4994,8 +4994,8 @@ ZEND_API void zend_update_property_stringl(const zend_class_entry *scope, zend_o
 	zval tmp;
 
 	ZVAL_STRINGL(&tmp, value, value_len);
-	Z_SET_REFCOUNT(tmp, 0);
 	zend_update_property(scope, object, name, name_length, &tmp);
+	zval_ptr_dtor(&tmp);
 }
 /* }}} */
 
@@ -5085,8 +5085,9 @@ ZEND_API zend_result zend_update_static_property_string(zend_class_entry *scope,
 	zval tmp;
 
 	ZVAL_STRING(&tmp, value);
-	Z_SET_REFCOUNT(tmp, 0);
-	return zend_update_static_property(scope, name, name_length, &tmp);
+	zend_result retval = zend_update_static_property(scope, name, name_length, &tmp);
+	zval_ptr_dtor(&tmp);
+	return retval;
 }
 /* }}} */
 
@@ -5095,8 +5096,9 @@ ZEND_API zend_result zend_update_static_property_stringl(zend_class_entry *scope
 	zval tmp;
 
 	ZVAL_STRINGL(&tmp, value, value_len);
-	Z_SET_REFCOUNT(tmp, 0);
-	return zend_update_static_property(scope, name, name_length, &tmp);
+	zend_result retval = zend_update_static_property(scope, name, name_length, &tmp);
+	zval_ptr_dtor(&tmp);
+	return retval;
 }
 /* }}} */