Remove the "o" serialization format

We never generate the "o" format during serialization, so let's not
keep this unnecessary attack surface around.

Author: nikic

UPGRADING

@@ -75,6 +75,10 @@ PHP 7.4 UPGRADE NOTES
     passed. Previously this would generate a recoverable fatal error on the
     next extraction operation.
 
+- Standard:
+  . The "o" serialization format has been removed. As it is never produced by
+    PHP, this may only break unserialization of manually crafted strings.
+
 ========================================
 2. New Features
 ========================================

ext/standard/var_unserializer.re

@@ -948,17 +948,6 @@ use_double:
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
 
-"o:" uiv ":" ["] {
-	zend_long elements;
-    if (!var_hash) return 0;
-
-	elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
-	if (elements < 0 || elements >= HT_MAX_SIZE) {
-		return 0;
-	}
-	return object_common2(UNSERIALIZE_PASSTHRU, elements);
-}
-
 object ":" uiv ":" ["]	{
 	size_t len, len2, len3, maxlen;
 	zend_long elements;