Integer overflow in gd_io.c in the GD Graphics Library before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. In all versions of PHP 7, during the unserialization process, resizing the "properties"; hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution. The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service via crafted serialized data that is mishandled in a finish_nested_data call. Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. It was found that the exif_convert_any_to_int function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service. Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service via a truncated manifest entry in a PHAR archive. The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library before 2.2.4 allows remote attackers to cause a denial of service via a crafted image file. Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service via crafted serialized data.