Hi Moriyoshi,
Function _php_mb_regex_ereg_replace_exec in php_mbregex.c returns
RETVAL_STRINGL((char *)out_buf.c, out_buf.len - 1, 0); //At the end of
the function
0 as the 3rd argument to RETVAL_STRINGL Macro does not duplicate the
content and sets a retval zval same as out_buf.c.
out_buf.c is allocated using malloc/realloc family not emalloc/erealloc.
While zval_ptr_dtor is called on mb_reg_replace's retval, calls
efree(which it should not.). Hence in the macro REMOVE_POINTER_FROM_LIST
p->pLast->pNext = p->pNext;
line causes a seg fault.(As p->pLast is null or some strange pointer not
within the control of the running program)
Patch for 5.0 tree is available here
http://puggy.symonds.net/~kameshj/php_mbregex.c.patch
With regards
Kamesh Jayachandran