Stefan Esser of e-matters discovered a condition within PHP
that may lead to remote execution of arbitrary code. The
memory_limit facility is used to notify functions when memory
contraints have been met. Under certain conditions, the entry
into this facility is able to interrupt functions such as
zend_hash_init() at locations not suitable for interruption.
The result would leave these functions in a vulnerable state.
An attacker that is able to trigger the memory_limit abort
within zend_hash_init() and is additionally able to control
the heap before the HashTable itself is allocated, is able to
supply his own HashTable destructor pointer. [...]
All mentioned places outside of the extensions are quite easy
to exploit, because the memory allocation up to those places
is deterministic and quite static throughout different PHP
versions. [...]
Because the exploit itself consist of supplying an arbitrary
destructor pointer this bug is exploitable on any platform.