Fix leak in SplObjectStorage unserialization

The result of php_var_unserialize always needs to be destroyed,
even if the call failed.

ext/spl/spl_observer.c

@@ -804,12 +804,14 @@ SPL_METHOD(SplObjectStorage, unserialize)
 		}
 		/* store reference to allow cross-references between different elements */
 		if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
+			zval_ptr_dtor(&entry);
 			goto outexcept;
 		}
 		if (*p == ',') { /* new version has inf */
 			++p;
 			if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
 				zval_ptr_dtor(&entry);
+				zval_ptr_dtor(&inf);
 				goto outexcept;
 			}
 		}

ext/standard/tests/serialize/unserialize_leak.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Unserialize leak in SplObjectStorage
+--FILE--
+<?php
+
+$payload = 'C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":1:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Notice: SplObjectStorage::unserialize(): Unexpected end of serialized data in %s on line %d
+Error at offset 24 of 113 bytes