Description:
------------
In handle_mapping, there is code to handle the array merge tag (http://yaml.org/type/merge.html). The code assumes that it gets a reference, or an array of references, but that is not guaranteed by libyaml. In fact, it can be any value type, or an array of values.

In the "array of references" case, the current code just loops through the received array, dereferences all values it has (if they are references), and unconditionally casts them to array before supplying it to zend_hash_merge as a source parameter. If we supply an int, for example, that directly gets used as a pointer to a hash table, and after that, all bets are off.

It is exploitable much the same way as the spl_array unserialize exploit from 2014 (https://sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html), so RCE can be achieved, if yaml_parse is ran on untrusted data, and ASLR is disabled, or circumvented another way.

The fix should be just "Z_TYPE_P(zvalp) == IS_ARRAY" somewhere in the foreach.

Test script:
---------------
yaml_parse("x:\n <<: [ 0xDEADBEEF ]");

Expected result:
----------------
The above code should throw a serialization error, or deserialize to array("x" => NULL)

Actual result:
--------------
It dumps a segfault with the following backtrace:

#0  0x00000000005a4668 in _zend_hash_merge (target=0x7ffff605f310, source=0xdeadbeef, pCopyConstructor=0x58e790 <zval_add_ref>, overwrite=0 '\000') at /home/alex/projects/php/php-src/Zend/zend_hash.c:1859
#1  0x000000000052ad96 in handle_mapping (state=0x7fffffffa4b8, retval=<optimized out>) at /home/alex/projects/php/php-src/ext/yaml/parse.c:419
#2  0x000000000052af58 in handle_mapping (state=0x7fffffffa4b8, retval=<optimized out>) at /home/alex/projects/php/php-src/ext/yaml/parse.c:391
#3  0x000000000052a7d2 in handle_document (state=0x7fffffffa4b8, retval=0x7fffffffa490) at /home/alex/projects/php/php-src/ext/yaml/parse.c:350
#4  php_yaml_read_partial (state=0x7fffffffa4b8, pos=0, ndocs=0x7fffffffa480, retval=0x7fffffffa490) at /home/alex/projects/php/php-src/ext/yaml/parse.c:176
#5  0x0000000000529af0 in zif_yaml_parse (execute_data=<optimized out>, return_value=0x7fffffffa748) at /home/alex/projects/php/php-src/ext/yaml/yaml.c:364
#6  0x000000000062b0d8 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff601c030) at /home/alex/projects/php/php-src/Zend/zend_vm_execute.h:738
#7  0x00000000005d3568 in execute_ex (ex=0x7ffff601c030) at /home/alex/projects/php/php-src/Zend/zend_vm_execute.h:59094
#8  0x00000000005d36d9 in zend_execute (op_array=0x7ffff607f2a0, return_value=0x0) at /home/alex/projects/php/php-src/Zend/zend_vm_execute.h:63125
#9  0x0000000000590ae4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/alex/projects/php/php-src/Zend/zend.c:1490
#10 0x0000000000530e97 in php_execute_script (primary_file=0x7fffffffcb90) at /home/alex/projects/php/php-src/main/main.c:2550
#11 0x0000000000658003 in do_cli (argc=2, argv=<optimized out>) at /home/alex/projects/php/php-src/sapi/cli/php_cli.c:1002
#12 0x00000000006571ba in main (argc=2, argv=<optimized out>) at /home/alex/projects/php/php-src/sapi/cli/php_cli.c:1395