Fix ASSIGN_DIM to NEXT with rc=1 reference value

The reference wrapper was destroyed while value still pointed into
it and was later used to assign the ASSIGN_DIM return value. This
could be fixed either by moving the return value assignment earlier,
or by working with the value that has been stored in the array.
I'm going with the latter here, because that matches what the
non-NEXT codepath does via assign_to_variable more closely.

Fixes oss-fuzz #36807.

Author: nikic

Zend/tests/assign_dim_ref_free.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Assigning rc=1 reference to next dim
+--FILE--
+<?php
+var_dump($ary[] = [&$x] = $x);
+var_dump($x);
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  &NULL
+}
+NULL

Zend/zend_vm_def.h

@@ -2527,8 +2527,8 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 			if (OP_DATA_TYPE == IS_CV || OP_DATA_TYPE == IS_VAR) {
 				ZVAL_DEREF(value);
 			}
-			variable_ptr = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
-			if (UNEXPECTED(variable_ptr == NULL)) {
+			value = zend_hash_next_index_insert(Z_ARRVAL_P(object_ptr), value);
+			if (UNEXPECTED(value == NULL)) {
 				zend_cannot_add_element();
 				ZEND_VM_C_GOTO(assign_dim_error);
 			} else if (OP_DATA_TYPE == IS_CV) {
@@ -2537,7 +2537,7 @@ ZEND_VM_C_LABEL(try_assign_dim_array):
 				}
 			} else if (OP_DATA_TYPE == IS_VAR) {
 				zval *free_op_data = EX_VAR((opline+1)->op1.var);
-				if (value != free_op_data) {
+				if (Z_ISREF_P(free_op_data)) {
 					if (Z_REFCOUNTED_P(value)) {
 						Z_ADDREF_P(value);
 					}