Merge branch 'PHP-7.2' into PHP-7.3

Author: nikic

ext/spl/spl_observer.c

@@ -783,6 +783,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
 
 	--p; /* for ';' */
 	count = Z_LVAL_P(pcount);
+	if (count < 0) {
+		goto outexcept;
+	}
 
 	ZVAL_UNDEF(&entry);
 	ZVAL_UNDEF(&inf);

ext/standard/tests/serialize/splobjectstorage_negative_count.phpt

@@ -0,0 +1,15 @@
+--TEST--
+OSS-Fuzz: Unserializing SplObjectStorage with negative number of elements
+--FILE--
+<?php
+
+$str = 'C:16:"SplObjectStorage":25:{x:i:-9223372036854775808;}';
+try {
+    var_dump(unserialize($str));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Error at offset 24 of 25 bytes