Fix hooked object properties overflow

The computed number of properties using zend_hash_num_elements(zobj->properties)
is incorrect when the object contains virtual properties. We don't have a
trivial way to find the number of properties virtual properties that need to be
added to this number, so just append with zend_hash_add_new() instead.

Fixes phpGH-20479
Closes phpGH-20988

Author: ndossche

NEWS

@@ -15,6 +15,7 @@ PHP                                                                        NEWS
   . Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may
     uaf). (ilutov)
   . Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). (ilutov)
+  . Fixed bug GH-20479 (Hooked object properties overflow). (ndossche)
 
 - Date:
   . Update timelib to 2022.16. (Derick)

Zend/tests/property_hooks/gh20479.phpt

@@ -0,0 +1,40 @@
+--TEST--
+GH-20479: Hooked object properties overflow
+--CREDITS--
+Viet Hoang Luu (@vi3tL0u1s)
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class Trigger {
+    public $a = 'x';
+    public $b = 'x';
+    public $c = 'x';
+    public $d = 'x';
+    public $e = 'x';
+    public $f = 'x';
+    public string $trigger {
+      get {
+        return 'trigger';
+      }
+    }
+}
+
+$obj = new Trigger();
+// Add 2 dynamic props
+$obj->g = $obj->h = 'x';
+var_export($obj);
+
+?>
+--EXPECT--
+\Trigger::__set_state(array(
+   'a' => 'x',
+   'b' => 'x',
+   'c' => 'x',
+   'd' => 'x',
+   'e' => 'x',
+   'f' => 'x',
+   'trigger' => 'trigger',
+   'h' => 'x',
+   'g' => 'x',
+))

Zend/zend_property_hooks.c

@@ -121,7 +121,7 @@ static zend_array *zho_build_properties_ex(zend_object *zobj, bool check_access,
 			if (Z_TYPE_P(prop_value) == IS_INDIRECT) {
 				continue;
 			}
-			zval *tmp = _zend_hash_append(properties, prop_name, prop_value);
+			zval *tmp = zend_hash_add_new(properties, prop_name, prop_value);
 			Z_TRY_ADDREF_P(tmp);
 		} ZEND_HASH_FOREACH_END();
 	}