The pcre_exec() function generates a list of offsets, each consisting of a start and an end position within the subject string. Throughout the code it is often assumed that for each offset, the start position is smaller than or equal to the end position. However, certain regular expressions break this assumption. This can lead to denial-of-service, or possibly to remote code execution.
Upstream report:
https://bugs.php.net/bug.php?id=70345
Upstream patch:
http://git.php.net/?p=php-src.git;a=commit;h=03964892c054d0c736414c10b3edc7a40318b975