Fix signed integer overflow in SplObjectStorage unserialization

If count is ZEND_LONG_MIN the count-- loop underflows. This is
ultimately harmless, but results in a ubsan warning.

Fix this by adding a sanity check that the count isn't negative,
because that doesn't make sense...

Author: nikic

ext/spl/spl_observer.c

@@ -787,6 +787,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
 
 	--p; /* for ';' */
 	count = Z_LVAL_P(pcount);
+	if (count < 0) {
+		goto outexcept;
+	}
 
 	ZVAL_UNDEF(&entry);
 	ZVAL_UNDEF(&inf);

ext/standard/tests/serialize/splobjectstorage_negative_count.phpt

@@ -0,0 +1,15 @@
+--TEST--
+OSS-Fuzz: Unserializing SplObjectStorage with negative number of elements
+--FILE--
+<?php
+
+$str = 'C:16:"SplObjectStorage":25:{x:i:-9223372036854775808;}';
+try {
+    var_dump(unserialize($str));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Error at offset 24 of 25 bytes