Fix ref source management during unserialization

Only register the slot for adding ref sources later if we didn't
immediately register one. Also avoids leaking a ref source if
it is added early and the assignment fails.

Fixes oss-fuzz #27628.

Author: nikic

ext/standard/tests/serialize/typed_property_ref_assignment_failure.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Failure to assign ref to typed property
+--FILE--
+<?php
+
+class Test {
+    public int $prop;
+}
+
+$s = <<<'STR'
+O:4:"Test":1:{s:4:"prop";O:8:"stdClass":1:{s:1:"y";R:2;}}
+STR;
+try {
+    var_dump(unserialize($s));
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Cannot assign stdClass to property Test::$prop of type int

ext/standard/var_unserializer.re

@@ -560,17 +560,6 @@ string_key:
 						Z_TRY_DELREF_P(old_data);
 						ZVAL_COPY_VALUE(old_data, &d);
 						data = old_data;
-
-						if (UNEXPECTED(info)) {
-							/* Remember to which property this slot belongs, so we can add a
-							 * type source if it is turned into a reference lateron. */
-							if (!(*var_hash)->ref_props) {
-								(*var_hash)->ref_props = emalloc(sizeof(HashTable));
-								zend_hash_init((*var_hash)->ref_props, 8, NULL, NULL, 0);
-							}
-							zend_hash_index_update_ptr(
-								(*var_hash)->ref_props, (zend_uintptr_t) data, info);
-						}
 					} else {
 						var_push_dtor(var_hash, old_data);
 						data = zend_hash_update_ind(ht, Z_STR(key), &d);
@@ -600,8 +589,18 @@ string_key:
 				zval_ptr_dtor_nogc(&key);
 				goto failure;
 			}
+
 			if (Z_ISREF_P(data)) {
 				ZEND_REF_ADD_TYPE_SOURCE(Z_REF_P(data), info);
+			} else {
+				/* Remember to which property this slot belongs, so we can add a
+				 * type source if it is turned into a reference lateron. */
+				if (!(*var_hash)->ref_props) {
+					(*var_hash)->ref_props = emalloc(sizeof(HashTable));
+					zend_hash_init((*var_hash)->ref_props, 8, NULL, NULL, 0);
+				}
+				zend_hash_index_update_ptr(
+					(*var_hash)->ref_props, (zend_uintptr_t) data, info);
 			}
 		}