Information

In SplObjectStorage::unserialize, pointer to uninitialized variable is passed to php_var_unserialize which may lead to code execution.

In SplObjectStorage::unserialize the variables entry and inf are defined on the stack. Then, they are passed as first argument (rval) to php_var_unserialize
which ultimately invokes php_var_unserialize_internal with the same arguments.
In php_var_unserialize_internal, if the parsed element is a reference (R:), then zval_ptr_dtor is invoked with the given pointer. Thus, trying to destroy an uninitialized variable.

This issue may lead to memory corruption and undefined behavior (I think it can lead to remote code execution but don’t have a demo yet).

Since the values of uninitialized variables depends on optimization, no test script it provided. However, I did manage to crash it randomly on Ubuntu 16.04 x86-64.



References:
https://bugs.php.net/bug.php?id=73257