/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1431 by ph10, Thu Jan 2 17:41:28 2014 UTC revision 1555 by ph10, Sun May 3 17:58:17 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.35-RC1 xx-xxxx-201x  Version 8.38 xx-xxx-xxxx
5  -----------------------------  ------------------------
6    
7    1.  If a group that contained a recursive back reference also contained a
8        forward reference subroutine call followed by a non-forward-reference
9        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
10        compile correct code, leading to undefined behaviour or an internally
11        detected error. This bug was discovered by the LLVM fuzzer.
12    
13    
14    Version 8.37 28-April-2015
15    --------------------------
16    
17    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
18        for those parentheses to be closed with whatever has been captured so far.
19        However, it was failing to mark any other groups between the hightest
20        capture so far and the currrent group as "unset". Thus, the ovector for
21        those groups contained whatever was previously there. An example is the
22        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
23    
24    2.  If an assertion condition was quantified with a minimum of zero (an odd
25        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
26    
27    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
28        unrecognized modifier, a crash could occur.
29    
30    4.  An attempt to do global matching in pcretest with a zero-length ovector
31        caused a crash.
32    
33    5.  Fixed a memory leak during matching that could occur for a subpattern
34        subroutine call (recursive or otherwise) if the number of captured groups
35        that had to be saved was greater than ten.
36    
37    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
38        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
39        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
40    
41    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
42        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
43    
44    8. When a pattern is compiled, it remembers the highest back reference so that
45       when matching, if the ovector is too small, extra memory can be obtained to
46       use instead. A conditional subpattern whose condition is a check on a
47       capture having happened, such as, for example in the pattern
48       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
49       setting the highest backreference number. This mattered only if pcre_exec()
50       was called with an ovector that was too small to hold the capture, and there
51       was no other kind of back reference (a situation which is probably quite
52       rare). The effect of the bug was that the condition was always treated as
53       FALSE when the capture could not be consulted, leading to a incorrect
54       behaviour by pcre_exec(). This bug has been fixed.
55    
56    9. A reference to a duplicated named group (either a back reference or a test
57       for being set in a conditional) that occurred in a part of the pattern where
58       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
59       to be incorrectly calculated, leading to overwriting.
60    
61    10. A mutually recursive set of back references such as (\2)(\1) caused a
62        segfault at study time (while trying to find the minimum matching length).
63        The infinite loop is now broken (with the minimum length unset, that is,
64        zero).
65    
66    11. If an assertion that was used as a condition was quantified with a minimum
67        of zero, matching went wrong. In particular, if the whole group had
68        unlimited repetition and could match an empty string, a segfault was
69        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
70        assertions to be quantified, but not if they are being used as conditions,
71        so the above pattern is faulted by Perl. PCRE has now been changed so that
72        it also rejects such patterns.
73    
74    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
75        failed to allow the zero-repeat case if pcre2_exec() was called with an
76        ovector too small to capture the group.
77    
78    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
79        Red Hat Product Security:
80    
81        (a) A crash if /K and /F were both set with the option to save the compiled
82        pattern.
83    
84        (b) Another crash if the option to print captured substrings in a callout
85        was combined with setting a null ovector, for example \O\C+ as a subject
86        string.
87    
88    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
89        forward reference repeated a large (but limited) number of times within a
90        repeated outer group that has a zero minimum quantifier, caused incorrect
91        code to be compiled, leading to the error "internal error:
92        previously-checked referenced subpattern not found" when an incorrect
93        memory address was read. This bug was reported as "heap overflow",
94        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
95        CVE-2015-2325.
96    
97    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
98        call within a group that also contained a recursive back reference caused
99        incorrect code to be compiled. This bug was reported as "heap overflow",
100        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
101        number CVE-2015-2326.
102    
103    24. Computing the size of the JIT read-only data in advance has been a source
104        of various issues, and new ones are still appear unfortunately. To fix
105        existing and future issues, size computation is eliminated from the code,
106        and replaced by on-demand memory allocation.
107    
108    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
109        adjacent to the end of the range, and the range contained characters with
110        more than one other case, caused incorrect behaviour when compiled in UTF
111        mode. In that example, the range a-j was left out of the class.
112    
113    26. Fix JIT compilation of conditional blocks, which assertion
114        is converted to (*FAIL). E.g: /(?(?!))/.
115    
116    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
117        discovered by the LLVM fuzzer.
118    
119    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
120        when this assertion was used as a condition, for example (?(?!)a|b). In
121        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
122        error about an unsupported item.
123    
124    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
125        possessification code could take exponential time to complete. A recursion
126        depth limit of 1000 has been imposed to limit the resources used by this
127        optimization.
128    
129    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
130        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
131        because \S ensures they are all in the class. The code for doing this was
132        interacting badly with the code for computing the amount of space needed to
133        compile the pattern, leading to a buffer overflow. This bug was discovered
134        by the LLVM fuzzer.
135    
136    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
137        other kinds of group caused stack overflow at compile time. This bug was
138        discovered by the LLVM fuzzer.
139    
140    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
141        between a subroutine call and its quantifier was incorrectly compiled,
142        leading to buffer overflow or other errors. This bug was discovered by the
143        LLVM fuzzer.
144    
145    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
146        assertion after (?(. The code was failing to check the character after
147        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
148        was discovered by the LLVM fuzzer.
149    
150    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
151        a fixed maximum following a group that contains a subroutine reference was
152        incorrectly compiled and could trigger buffer overflow. This bug was
153        discovered by the LLVM fuzzer.
154    
155    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
156        caused a stack overflow instead of the diagnosis of a non-fixed length
157        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
158    
159    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
160        (e.g. /(?<=\Ka)/) could make pcregrep loop.
161    
162    37. There was a similar problem to 36 in pcretest for global matches.
163    
164    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
165        and a subsequent item in the pattern caused a non-match, backtracking over
166        the repeated \X did not stop, but carried on past the start of the subject,
167        causing reference to random memory and/or a segfault. There were also some
168        other cases where backtracking after \C could crash. This set of bugs was
169        discovered by the LLVM fuzzer.
170    
171    39. The function for finding the minimum length of a matching string could take
172        a very long time if mutual recursion was present many times in a pattern,
173        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
174        method has been implemented. This infelicity was discovered by the LLVM
175        fuzzer.
176    
177    40. Static linking against the PCRE library using the pkg-config module was
178        failing on missing pthread symbols.
179    
180    
181    Version 8.36 26-September-2014
182    ------------------------------
183    
184    1.  Got rid of some compiler warnings in the C++ modules that were shown up by
185        -Wmissing-field-initializers and -Wunused-parameter.
186    
187    2.  The tests for quantifiers being too big (greater than 65535) were being
188        applied after reading the number, and stupidly assuming that integer
189        overflow would give a negative number. The tests are now applied as the
190        numbers are read.
191    
192    3.  Tidy code in pcre_exec.c where two branches that used to be different are
193        now the same.
194    
195    4.  The JIT compiler did not generate match limit checks for certain
196        bracketed expressions with quantifiers. This may lead to exponential
197        backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
198        issue should be resolved now.
199    
200    5.  Fixed an issue, which occures when nested alternatives are optimized
201        with table jumps.
202    
203    6.  Inserted two casts and changed some ints to size_t in the light of some
204        reported 64-bit compiler warnings (Bugzilla 1477).
205    
206    7.  Fixed a bug concerned with zero-minimum possessive groups that could match
207        an empty string, which sometimes were behaving incorrectly in the
208        interpreter (though correctly in the JIT matcher). This pcretest input is
209        an example:
210    
211          '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
212          NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
213    
214        the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
215        JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
216        for an empty string was breaking the inner loop and carrying on at a lower
217        level, when possessive repeated groups should always return to a higher
218        level as they have no backtrack points in them. The empty string test now
219        occurs at the outer level.
220    
221    8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
222        ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
223    
224    9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
225        doesn't).
226    
227    10. Change 8.34/15 introduced a bug that caused the amount of memory needed
228        to hold a pattern to be incorrectly computed (too small) when there were
229        named back references to duplicated names. This could cause "internal
230        error: code overflow" or "double free or corruption" or other memory
231        handling errors.
232    
233    11. When named subpatterns had the same prefixes, back references could be
234        confused. For example, in this pattern:
235    
236          /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
237    
238        the reference to 'Name' was incorrectly treated as a reference to a
239        duplicate name.
240    
241    12. A pattern such as /^s?c/mi8 where the optional character has more than
242        one "other case" was incorrectly compiled such that it would only try to
243        match starting at "c".
244    
245    13. When a pattern starting with \s was studied, VT was not included in the
246        list of possible starting characters; this should have been part of the
247        8.34/18 patch.
248    
249    14. If a character class started [\Qx]... where x is any character, the class
250        was incorrectly terminated at the ].
251    
252    15. If a pattern that started with a caseless match for a character with more
253        than one "other case" was studied, PCRE did not set up the starting code
254        unit bit map for the list of possible characters. Now it does. This is an
255        optimization improvement, not a bug fix.
256    
257    16. The Unicode data tables have been updated to Unicode 7.0.0.
258    
259    17. Fixed a number of memory leaks in pcregrep.
260    
261    18. Avoid a compiler warning (from some compilers) for a function call with
262        a cast that removes "const" from an lvalue by using an intermediate
263        variable (to which the compiler does not object).
264    
265    19. Incorrect code was compiled if a group that contained an internal recursive
266        back reference was optional (had quantifier with a minimum of zero). This
267        example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
268        caused segmentation faults because of stack overflows at compile time.
269    
270    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
271        group that is quantified with an indefinite repeat, caused a compile-time
272        loop which used up all the system stack and provoked a segmentation fault.
273        This was not the same bug as 19 above.
274    
275    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
276        Patch by Mike Frysinger.
277    
278    
279    Version 8.35 04-April-2014
280    --------------------------
281    
282  1.  A new flag is set, when property checks are present in an XCLASS.  1.  A new flag is set, when property checks are present in an XCLASS.
283      When this flag is not set, PCRE can perform certain optimizations      When this flag is not set, PCRE can perform certain optimizations
# Line 27  Version 8.35-RC1 xx-xxxx-201x Line 302  Version 8.35-RC1 xx-xxxx-201x
302    
303  6.  Improve character range checks in JIT. Characters are read by an inprecise  6.  Improve character range checks in JIT. Characters are read by an inprecise
304      function now, which returns with an unknown value if the character code is      function now, which returns with an unknown value if the character code is
305      above a certain treshold (e.g: 256). The only limitation is that the value      above a certain threshold (e.g: 256). The only limitation is that the value
306      must be bigger than the treshold as well. This function is useful, when      must be bigger than the threshold as well. This function is useful when
307      the characters above the treshold are handled in the same way.      the characters above the threshold are handled in the same way.
308    
309  7.  The macros whose names start with RAWUCHAR are placeholders for a future  7.  The macros whose names start with RAWUCHAR are placeholders for a future
310      mode in which only the bottom 21 bits of 32-bit data items are used. To      mode in which only the bottom 21 bits of 32-bit data items are used. To
311      make this more memorable for those maintaining the code, the names have      make this more memorable for those maintaining the code, the names have
312      been changed to start with UCHAR21, and an extensive comment has been added      been changed to start with UCHAR21, and an extensive comment has been added
313      to their definition.      to their definition.
314    
315    8.  Add missing (new) files sljitNativeTILEGX.c and sljitNativeTILEGX-encoder.c
316        to the export list in Makefile.am (they were accidentally omitted from the
317        8.34 tarball).
318    
319    9.  The informational output from pcretest used the phrase "starting byte set"
320        which is inappropriate for the 16-bit and 32-bit libraries. As the output
321        for "first char" and "need char" really means "non-UTF-char", I've changed
322        "byte" to "char", and slightly reworded the output. The documentation about
323        these values has also been (I hope) clarified.
324    
325    10. Another JIT related optimization: use table jumps for selecting the correct
326        backtracking path, when more than four alternatives are present inside a
327        bracket.
328    
329    11. Empty match is not possible, when the minimum length is greater than zero,
330        and there is no \K in the pattern. JIT should avoid empty match checks in
331        such cases.
332    
333    12. In a caseless character class with UCP support, when a character with more
334        than one alternative case was not the first character of a range, not all
335        the alternative cases were added to the class. For example, s and \x{17f}
336        are both alternative cases for S: the class [RST] was handled correctly,
337        but [R-T] was not.
338    
339    13. The configure.ac file always checked for pthread support when JIT was
340        enabled. This is not used in Windows, so I have put this test inside a
341        check for the presence of windows.h (which was already tested for).
342    
343    14. Improve pattern prefix search by a simplified Boyer-Moore algorithm in JIT.
344        The algorithm provides a way to skip certain starting offsets, and usually
345        faster than linear prefix searches.
346    
347    15. Change 13 for 8.20 updated RunTest to check for the 'fr' locale as well
348        as for 'fr_FR' and 'french'. For some reason, however, it then used the
349        Windows-specific input and output files, which have 'french' screwed in.
350        So this could never have worked. One of the problems with locales is that
351        they aren't always the same. I have now updated RunTest so that it checks
352        the output of the locale test (test 3) against three different output
353        files, and it allows the test to pass if any one of them matches. With luck
354        this should make the test pass on some versions of Solaris where it was
355        failing. Because of the uncertainty, the script did not used to stop if
356        test 3 failed; it now does. If further versions of a French locale ever
357        come to light, they can now easily be added.
358    
359    16. If --with-pcregrep-bufsize was given a non-integer value such as "50K",
360        there was a message during ./configure, but it did not stop. This now
361        provokes an error. The invalid example in README has been corrected.
362        If a value less than the minimum is given, the minimum value has always
363        been used, but now a warning is given.
364    
365    17. If --enable-bsr-anycrlf was set, the special 16/32-bit test failed. This
366        was a bug in the test system, which is now fixed. Also, the list of various
367        configurations that are tested for each release did not have one with both
368        16/32 bits and --enable-bar-anycrlf. It now does.
369    
370    18. pcretest was missing "-C bsr" for displaying the \R default setting.
371    
372    19. Little endian PowerPC systems are supported now by the JIT compiler.
373    
374    20. The fast forward newline mechanism could enter to an infinite loop on
375        certain invalid UTF-8 input. Although we don't support these cases
376        this issue can be fixed by a performance optimization.
377    
378    21. Change 33 of 8.34 is not sufficient to ensure stack safety because it does
379        not take account if existing stack usage. There is now a new global
380        variable called pcre_stack_guard that can be set to point to an external
381        function to check stack availability. It is called at the start of
382        processing every parenthesized group.
383    
384    22. A typo in the code meant that in ungreedy mode the max/min qualifier
385        behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did
386        not match "ab".
387    
388    23. When UTF was disabled, the JIT program reported some incorrect compile
389        errors. These messages are silenced now.
390    
391    24. Experimental support for ARM-64 and MIPS-64 has been added to the JIT
392        compiler.
393    
394    25. Change all the temporary files used in RunGrepTest to be different to those
395        used by RunTest so that the tests can be run simultaneously, for example by
396        "make -j check".
397    
398    
399  Version 8.34 15-December-2013  Version 8.34 15-December-2013

Legend:
Removed from v.1431  
changed lines
  Added in v.1555

  ViewVC Help
Powered by ViewVC 1.1.5