This report is related to a bug in PHP that has now been fixed and publicly disclosed. It was assigned CVE-2016-7412.
The details are at:
https://bugs.php.net/bug.php?id=72293
Disclosure was on Sep 15:
http://www.openwall.com/lists/oss-security/2016/09/15/10
Thanks!