CVE-2020-1898

The fb_unserialize function did not impose a depth limit for nested
deserialization. That meant a maliciously constructed string could cause
deserialization to recurse, leading to stack exhaustion. This issue
affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56.0, 4.57.0,
4.58.0, 4.58.1, 4.59.0, 4.60.0, 4.61.0, 4.62.0.