Fix infinite loop on string offset during by-ref list assign

There is a deeper underlying issue here, in that the opcodes violate
VM write-fetch safety, but let's fix the infinite loop first.

This fixes oss-fuzz #25352.

2 files changed, 17 insertions, 0 deletions

diff --git a/Zend/tests/list_assign_ref_string_offset_error.phpt b/Zend/tests/list_assign_ref_string_offset_error.phpt
new file mode 100644
index 0000000000..c4e99d01a2
--- /dev/null
+++ b/Zend/tests/list_assign_ref_string_offset_error.phpt
@@ -0,0 +1,16 @@
+--TEST--
+String offset error during list() by-ref assignment
+--FILE--
+<?php
+
+$a = [0];
+$v = 'b';
+$i = 0;
+list(&$a[$i++]) = $v;
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot create references to/from string offsets in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 0eb6639b2e..9a891273bc 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1329,6 +1329,7 @@ static zend_never_inline ZEND_COLD void zend_wrong_string_offset(EXECUTE_DATA_D)
 					msg = "Cannot create references to/from string offsets";
 					break;
 				}
+				opline++;
 			}
 			break;
 		EMPTY_SWITCH_DEFAULT_CASE();