Malformed input to the xmlrpc_decode function can cause an out of bounds read in the base64 code.
This is fixed in the latest updates of PHP (7.3.1 etc.)
Report:
https://bugs.php.net/bug.php?id=77380
If the attacker has access to the decoded output this may leak memory contents.