Remove the "o" serialization format

We never generate the "o" format during serialization, so let's not
keep this unnecessary attack surface around.

2 files changed, 4 insertions, 11 deletions

diff --git a/UPGRADING b/UPGRADING
index 768298159d..4e8507b641 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -75,6 +75,10 @@ PHP 7.4 UPGRADE NOTES
     passed. Previously this would generate a recoverable fatal error on the
     next extraction operation.
 
+- Standard:
+  . The "o" serialization format has been removed. As it is never produced by
+    PHP, this may only break unserialization of manually crafted strings.
+
 ========================================
 2. New Features
 ========================================
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 8dad71450e..5193a0ab41 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -948,17 +948,6 @@ use_double:
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
 
-"o:" uiv ":" ["] {
-	zend_long elements;
-    if (!var_hash) return 0;
-
-	elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
-	if (elements < 0 || elements >= HT_MAX_SIZE) {
-		return 0;
-	}
-	return object_common2(UNSERIALIZE_PASSTHRU, elements);
-}
-
 object ":" uiv ":" ["]	{
 	size_t len, len2, len3, maxlen;
 	zend_long elements;