Description:
------------
For the provided script, I get a segfault. We observed this on various platforms and versions (PHP 5.4 on Windows and Debian, PHP 5.5 on Mac), just the crashing input differs on every platform. The provided script crashes on PHP 5.4 on Windows.

The segfault is "almost deterministic", i.e., it crashes on a given input quite everytime. It varies depending on $str, $re and the offset provided to the preg_match().

Test script:
---------------
<?php
$str = <<<TXT
"name"=>"---------", "description"=>"------------------------
----------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------"
TXT;

$re = '~(?:"((?:[^"\\\\]|\\\\\\\\)*)"|([^\s,=>"]+))\s*=>\s*(?:"((?1))"|((?2)))~';

preg_match($re, $str, $m, 0, 1); // segfaults

echo 'this does not get printed';


Actual result:
--------------
In httpd__PID__12244__Date__10_17_2014__Time_04_36_42PM__962__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!is_equal_function+169 in C:\xampp\php\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x00000001 on thread 4



Thread 4 - System ID 12096Entry point	  libhttpd!ap_regkey_value_remove+1060
Create time	  17.10.2014 16:35:40
Time spent in user mode	  0 Days 00:00:00.000
Time spent in kernel mode	  0 Days 00:00:00.000

This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.
Function
php5ts!is_equal_function+169
0x000f4240
ntdll!RtlpLowFragHeapAllocFromContext+aec
php5ts!zend_hash_add_or_update+2a2
php5ts!zend_parse_parameters+2b
php5ts!zval_update_constant_inline_change+a9
php5ts!add_function+964
php5ts!execute_internal+37
php_xdebug!get_module+2364
php5ts!libiconv_open+ab877