CVE-2006-7224 initially described several integer overflows in pcre, all described here: http://scary.beasts.org/security/CESA-2007-006.html This id should be used to describe issue #2 in that advisory: 2) Uncharacterized crash researching item #1 above: Demo: (?P<0>)(?P<1>)...fill in this sequence...(?P<3999>) This does not trigger the integer overflow present in #1 above, but still crashes with a serious-looking memory error of some kind - possibly a buffer overflow.
Reference in PCRE changelog for version 6.2: 5. Named capturing subpatterns were not being correctly counted when a pattern was compiled. This caused two problems: (a) If there were more than 100 such subpatterns, the calculation of the memory needed for the whole compiled pattern went wrong, leading to an overflow error. (b) Numerical back references of the form \12, where the number was greater than 9, were not recognized as back references, even though there were sufficient previous subpatterns.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-1052.html