mod_rewrite in Apache 1.3.33 (only up to 1.3.31 is listed in Bugzilla) crashes
with a NULL pointer dereference on a dual AMD Opteron machine running Fedora
Core 3 test 3.

Steps to reproduce (always reproducible):

cd /var/tmp/gs
tar xvzf apache_1.3.33.tar.gz
cd apache_1.3.33
CC="gcc -g" ./configure --prefix=/var/tmp/gs/apache --enable-module=rewrite
--enable-shared=rewrite
perl -pi -e 's/CFLAGS1=/CFLAGS1=-g/' `find . -name Makefile`
make
make install

Entire contents of conf/httpd.conf:

ServerType standalone
ServerRoot "/var/tmp/gs/apache"
PidFile /var/tmp/gs/httpd-test.pid
ScoreBoardFile /var/tmp/gs/httpd-test.scoreboard
BindAddress 127.0.0.1
Port 8080
User gs
Group gs
ResourceConfig /dev/null
AccessConfig /dev/null
ErrorLog  /dev/null
CoreDumpDirectory /var/tmp/gs                                                  
                                                                               
                                                                               
                                                                             
LoadModule rewrite_module     libexec/mod_rewrite.so                           
                                                                               
                                    
ClearModuleList
AddModule mod_rewrite.c
AddModule mod_so.c                                                             
                                                                               
                                                                               
                                                                  
#DocumentRoot /var/www
ErrorDocument 404 /error.html
RewriteEngine on
RewriteRule !^/(error.html|another1.html)$ /nonexistent.html [L]


At the command line:
]$ bin/httpd -X &
]$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
GET /bogus HTTP/1.0
Host: bogus
 
Connection closed by foreign host.
[1]+  Segmentation fault      (core dumped) bin/httpd -X &



Backtrace of core:

(gdb) target core core.12956
Core was generated by `bin/httpd -X'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib64/tls/libm.so.6...done.
Loaded symbols for /lib64/tls/libm.so.6
Reading symbols from /lib64/libcrypt.so.1...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /usr/lib64/libgdbm.so.2...done.
Loaded symbols for /usr/lib64/libgdbm.so.2
Reading symbols from /usr/lib64/libexpat.so.0...done.
Loaded symbols for /usr/lib64/libexpat.so.0
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/tls/libc.so.6...done.
Loaded symbols for /lib64/tls/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libnss_files.so.2...done.
Loaded symbols for /lib64/libnss_files.so.2
Reading symbols from /lib64/libnss_dns.so.2...done.
Loaded symbols for /lib64/libnss_dns.so.2
Reading symbols from /lib64/libresolv.so.2...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /var/tmp/gs/apache/libexec/mod_rewrite.so...done.
Loaded symbols for /var/tmp/gs/apache/libexec/mod_rewrite.so
#0  0x00000000004551c6 in sslow (m=0x7fbfffcf10, start=0x0, stop=0x594348
"/bogus", startst=31, stopst=33) at engine.c:728
728             register int c = (start == m->beginp) ? OUT : *(start-1);
(gdb) bt
#0  0x00000000004551c6 in sslow (m=0x7fbfffcf10, start=0x0, stop=0x594348
"/bogus", startst=31, stopst=33) at engine.c:728
#1  0x00000000004540b6 in sdissect (m=0x7fbfffcf10, start=0x594348 "/bogus",
stop=0x594348 "/bogus", startst=1, stopst=33) at engine.c:360
#2  0x0000000000453991 in smatcher (g=0x58e610, string=0x594348 "/bogus",
nmatch=10, pmatch=0x7fbfffd090, eflags=0) at engine.c:157
#3  0x000000000045833c in regexec (preg=0x580828, string=0x594348 "/bogus",
nmatch=10, pmatch=0x7fbfffd090, eflags=0) at regexec.c:138
#4  0x0000000000440fbb in ap_regexec (preg=0x580828, string=0x594348 "/bogus",
nmatch=10, pmatch=0x7fbfffd090, eflags=0) at util.c:331
#5  0x0000002a9578df2e in apply_rewrite_rule (r=0x593220, p=0x580280,
perdir=0x0) at mod_rewrite.c:1861
#6  0x0000002a9578da9b in apply_rewrite_list (r=0x593220, rewriterules=0x580260,
perdir=0x0) at mod_rewrite.c:1698
#7  0x0000002a9578c816 in hook_uri2file (r=0x593220) at mod_rewrite.c:1093
#8  0x0000000000427065 in run_method (r=0x593220, offset=0, run_all=0) at
http_config.c:327
#9  0x00000000004270cd in ap_translate_name (r=0x593220) at http_config.c:339
#10 0x000000000043e6f2 in process_request_internal (r=0x593220) at
http_request.c:1192
#11 0x000000000043eae9 in ap_process_request (r=0x593220) at http_request.c:1314
#12 0x00000000004350fe in child_main (child_num_arg=0) at http_main.c:4786
#13 0x0000000000435316 in make_child (s=0x57f0b0, slot=0, now=1099603704) at
http_main.c:4901
#14 0x0000000000435495 in startup_children (number_to_start=5) at http_main.c:4983
#15 0x0000000000435bb8 in standalone_main (argc=2, argv=0x7fbffff9b8) at
http_main.c:5315
#16 0x00000000004363a1 in main (argc=2, argv=0x7fbffff9b8) at http_main.c:5657


Before narrowing down to the above for reproducibility, in my much more complex
setup, if I varied the rewrite rule, the problem would disappear.  It only
triggered when there were two .html entries ^(xxx.html|xxxxx.html)$ in the
rewrite rule; it did not happen with ^(error.html|robots.txt)$   It also varied
on the length of the rules: ^(error.html|another.html)$ worked, while
^(error.html|another1.html)$ crashed.  Varying the rewrite rule in the simple
reproducible steps above was not done; I'm out of tuits at the moment.