Exploiting PHP-7 unserialize - Check Point Software
When the engine creates a new string, it allocates enough bytes for the zend_string struct plus the size of the string. Then, it fills the struct’s fields with the data of the string (refcount, length) and appends the content of the string to the end of the struct. The access to the string uses the good old flexible array member .
c# xmlserializer deserialize example