mod_rewrite in Apache 1.3.33 (only up to 1.3.31 is listed in Bugzilla) crashes with a NULL pointer dereference on a dual AMD Opteron machine running Fedora Core 3 test 3. Steps to reproduce (always reproducible): cd /var/tmp/gs tar xvzf apache_1.3.33.tar.gz cd apache_1.3.33 CC="gcc -g" ./configure --prefix=/var/tmp/gs/apache --enable-module=rewrite --enable-shared=rewrite perl -pi -e 's/CFLAGS1=/CFLAGS1=-g/' `find . -name Makefile` make make install Entire contents of conf/httpd.conf: ServerType standalone ServerRoot "/var/tmp/gs/apache" PidFile /var/tmp/gs/httpd-test.pid ScoreBoardFile /var/tmp/gs/httpd-test.scoreboard BindAddress 127.0.0.1 Port 8080 User gs Group gs ResourceConfig /dev/null AccessConfig /dev/null ErrorLog /dev/null CoreDumpDirectory /var/tmp/gs LoadModule rewrite_module libexec/mod_rewrite.so ClearModuleList AddModule mod_rewrite.c AddModule mod_so.c #DocumentRoot /var/www ErrorDocument 404 /error.html RewriteEngine on RewriteRule !^/(error.html|another1.html)$ /nonexistent.html [L] At the command line: ]$ bin/httpd -X & ]$ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. GET /bogus HTTP/1.0 Host: bogus Connection closed by foreign host. [1]+ Segmentation fault (core dumped) bin/httpd -X & Backtrace of core: (gdb) target core core.12956 Core was generated by `bin/httpd -X'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib64/tls/libm.so.6...done. Loaded symbols for /lib64/tls/libm.so.6 Reading symbols from /lib64/libcrypt.so.1...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/lib64/libgdbm.so.2...done. Loaded symbols for /usr/lib64/libgdbm.so.2 Reading symbols from /usr/lib64/libexpat.so.0...done. Loaded symbols for /usr/lib64/libexpat.so.0 Reading symbols from /lib64/libdl.so.2...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/tls/libc.so.6...done. Loaded symbols for /lib64/tls/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libnss_files.so.2...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_dns.so.2...done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libresolv.so.2...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /var/tmp/gs/apache/libexec/mod_rewrite.so...done. Loaded symbols for /var/tmp/gs/apache/libexec/mod_rewrite.so #0 0x00000000004551c6 in sslow (m=0x7fbfffcf10, start=0x0, stop=0x594348 "/bogus", startst=31, stopst=33) at engine.c:728 728 register int c = (start == m->beginp) ? OUT : *(start-1); (gdb) bt #0 0x00000000004551c6 in sslow (m=0x7fbfffcf10, start=0x0, stop=0x594348 "/bogus", startst=31, stopst=33) at engine.c:728 #1 0x00000000004540b6 in sdissect (m=0x7fbfffcf10, start=0x594348 "/bogus", stop=0x594348 "/bogus", startst=1, stopst=33) at engine.c:360 #2 0x0000000000453991 in smatcher (g=0x58e610, string=0x594348 "/bogus", nmatch=10, pmatch=0x7fbfffd090, eflags=0) at engine.c:157 #3 0x000000000045833c in regexec (preg=0x580828, string=0x594348 "/bogus", nmatch=10, pmatch=0x7fbfffd090, eflags=0) at regexec.c:138 #4 0x0000000000440fbb in ap_regexec (preg=0x580828, string=0x594348 "/bogus", nmatch=10, pmatch=0x7fbfffd090, eflags=0) at util.c:331 #5 0x0000002a9578df2e in apply_rewrite_rule (r=0x593220, p=0x580280, perdir=0x0) at mod_rewrite.c:1861 #6 0x0000002a9578da9b in apply_rewrite_list (r=0x593220, rewriterules=0x580260, perdir=0x0) at mod_rewrite.c:1698 #7 0x0000002a9578c816 in hook_uri2file (r=0x593220) at mod_rewrite.c:1093 #8 0x0000000000427065 in run_method (r=0x593220, offset=0, run_all=0) at http_config.c:327 #9 0x00000000004270cd in ap_translate_name (r=0x593220) at http_config.c:339 #10 0x000000000043e6f2 in process_request_internal (r=0x593220) at http_request.c:1192 #11 0x000000000043eae9 in ap_process_request (r=0x593220) at http_request.c:1314 #12 0x00000000004350fe in child_main (child_num_arg=0) at http_main.c:4786 #13 0x0000000000435316 in make_child (s=0x57f0b0, slot=0, now=1099603704) at http_main.c:4901 #14 0x0000000000435495 in startup_children (number_to_start=5) at http_main.c:4983 #15 0x0000000000435bb8 in standalone_main (argc=2, argv=0x7fbffff9b8) at http_main.c:5315 #16 0x00000000004363a1 in main (argc=2, argv=0x7fbffff9b8) at http_main.c:5657 Before narrowing down to the above for reproducibility, in my much more complex setup, if I varied the rewrite rule, the problem would disappear. It only triggered when there were two .html entries ^(xxx.html|xxxxx.html)$ in the rewrite rule; it did not happen with ^(error.html|robots.txt)$ It also varied on the length of the rules: ^(error.html|another.html)$ worked, while ^(error.html|another1.html)$ crashed. Varying the rewrite rule in the simple reproducible steps above was not done; I'm out of tuits at the moment.
Looks like the same problem. The hregex lib is not 64 bit compatible. *** This bug has been marked as a duplicate of 31858 ***