Description:
------------
Attempting to serialize a finalized HashContext segfaults. Looking at the php-src code, I suspect this is a use-after-free (so a potential security vulnerability): php_hash_serialize_spec() uses hash->context after it was efree()d in PHP_FUNCTION(hash_final).

I found the issue in PHP 8.0.8 (Ubuntu 21.10 Impish Indri). 3v4l DOT org SLASH dnXnr claims the issue is present in all PHP 8 versions, including master. (In PHP 7, HashContext is not serializable.)

Tested with 'sha256' and 'md5' algos (MD5 used in test script for brevity). I assume the actual hash algorithm is irrelevant.

Test script:
---------------
<?php

$h = hash_init('md5');
hash_final($h);
serialize($h);

OR:

php -r '$h=hash_init("md5");hash_final($h);serialize($h);'

Expected result:
----------------
Some kind of error, probably. I don’t think it’s necessary for a finalized HashContext to have a valid serialization, it just shouldn’t crash.

Actual result:
--------------
Top of internal stack trace (coredumpctl gdb; memory addresses redacted):

                Stack trace of thread 918674:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x xdebug_execute_internal (xdebug.so + 0x)
                #3  0x zend_call_function (php8.0 + 0x)
                #4  0x zend_call_known_function (php8.0 + 0x)
                #5  0x n/a (php8.0 + 0x)
                #6  0x php_var_serialize (php8.0 + 0x)

Without xdebug enabled:

                Stack trace of thread 919029:
                #0  0x php_hash_serialize_spec (php8.0 + 0x)
                #1  0x n/a (php8.0 + 0x)
                #2  0x zend_call_function (php8.0 + 0x)
                #3  0x zend_call_known_function (php8.0 + 0x)
                #4  0x n/a (php8.0 + 0x)
                #5  0x php_var_serialize (php8.0 + 0x)