Assuming untrue things about the mathematical properties of your regular expression engine which are not supported by the documentation and allowing that to be exploited by user input is a different beast entirely than a bug in that library. The first, with careful examination of the properties may be preventable through sanitation of the input to exclude certain edge cases. You can't assume you'll be able to sanitize input ahead of time for bugs nobody knows about yet, which might be hidden in normally safe features.