Detect heap freelist corruption (#14054)

We keep track of free slots by organizing them in a linked list, with the
first word of every free slot being a pointer to the next one.

In order to make corruptions more difficult to exploit, we check the consistency
of these pointers before dereference by comparing them with a shadow. The shadow
is a copy of the pointer, stored at the end of the slot.

Before this change, an off-by-1 write is enough to produce a valid freelist
pointer. After this change, a bigger out of bound write is required for that.
The difficulty is increase further by mangling the shadow with a secret, and
byte-swapping it, which increases the minimal required out of bound write
length.

Closes GH-14054

Author: arnaud-lb

Zend/zend.c

@@ -914,7 +914,8 @@ void zend_startup(zend_utility_functions *utility_functions) /* {{{ */
 	php_win32_cp_set_by_id(65001);
 #endif
 
-	/* Set up early utility functions. */
+	/* Set up early utility functions. zend_mm depends on
+	 * zend_random_bytes_insecure */
 	zend_random_bytes = utility_functions->random_bytes_function;
 	zend_random_bytes_insecure = utility_functions->random_bytes_insecure_function;