PHP versions 5.4.40, 5.5.24 and 5.6.8 provide a fix for NULL pointer dereference leading to an application crash in ext/ereg/regex/regcomp.c. From upstream bug: """ An explicit null deference happens in /ext/ereg/regex/regcomp.c: 140 g->setbits = NULL; then this is called: 167 categorize(p, g); which does this: 1326 if (cats[c] == 0 && isinsets(g, c)) { And then the isinsets function does this: 1279 for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize) 1280 if (col[uc] != 0) 1281 return(1); which will cause a crash. """ Upstream fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=124fb22a13fafa3648e4e15b4f207c7096d8155e Upstream bug: https://bugs.php.net/bug.php?id=68740
Created php tracking bugs for this issue: Affects: fedora-all [bug 1213456]
php-5.6.8-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
php-5.6.8-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
php-5.5.24-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This NULL dereference does not seem practically reachable as I noted in upstream bug: https://bugs.php.net/bug.php?id=68740#1432845447 g->setbits is allocated before it can be dereferenced in isinsets().