/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1431 by ph10, Thu Jan 2 17:41:28 2014 UTC revision 1591 by zherczeg, Tue Aug 11 05:41:09 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.35-RC1 xx-xxxx-201x  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5  -----------------------------  development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8    ------------------------
9    
10    1.  If a group that contained a recursive back reference also contained a
11        forward reference subroutine call followed by a non-forward-reference
12        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13        compile correct code, leading to undefined behaviour or an internally
14        detected error. This bug was discovered by the LLVM fuzzer.
15    
16    2.  Quantification of certain items (e.g. atomic back references) could cause
17        incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21    3.  A repeated conditional group whose condition was a reference by name caused
22        a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25    4.  A recursive back reference by name within a group that had the same name as
26        another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    10. There was a buffer overflow if pcre_exec() was called with an ovector of
49        size 1. This bug was found by american fuzzy lop.
50    
51    11. If a non-capturing group containing a conditional group that could match
52        an empty string was repeated, it was not identified as matching an empty
53        string itself. For example: /^(?:(?(1)x|)+)+$()/.
54    
55    12. In an EBCDIC environment, pcretest was mishandling the escape sequences
56        \a and \e in test subject lines.
57    
58    13. In an EBCDIC environment, \a in a pattern was converted to the ASCII
59        instead of the EBCDIC value.
60    
61    14. The handling of \c in an EBCDIC environment has been revised so that it is
62        now compatible with the specification in Perl's perlebcdic page.
63    
64    15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in
65        ASCII/Unicode. This has now been added to the list of characters that are
66        recognized as white space in EBCDIC.
67    
68    16. When PCRE was compiled without UCP support, the use of \p and \P gave an
69        error (correctly) when used outside a class, but did not give an error
70        within a class.
71    
72    17. \h within a class was incorrectly compiled in EBCDIC environments.
73    
74    18. A pattern with an unmatched closing parenthesis that contained a backward
75        assertion which itself contained a forward reference caused buffer
76        overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.
77    
78    19. JIT should return with error when the compiled pattern requires more stack
79        space than the maximum.
80    
81    20. A possessively repeated conditional group that could match an empty string,
82        for example, /(?(R))*+/, was incorrectly compiled.
83    
84    21. Fix infinite recursion in the JIT compiler when certain patterns such as
85        /(?:|a|){100}x/ are analysed.
86    
87    22. Some patterns with character classes involving [: and \\ were incorrectly
88        compiled and could cause reading from uninitialized memory or an incorrect
89        error diagnosis.
90    
91    23. Pathological patterns containing many nested occurrences of [: caused
92        pcre_compile() to run for a very long time.
93    
94    24. A conditional group with only one branch has an implicit empty alternative
95        branch and must therefore be treated as potentially matching an empty
96        string.
97    
98    25. If (?R was followed by - or + incorrect behaviour happened instead of a
99        diagnostic.
100    
101    26. Arrange to give up on finding the minimum matching length for overly
102        complex patterns.
103    
104    27. Similar to (4) above: in a pattern with duplicated named groups and an
105        occurrence of (?| it is possible for an apparently non-recursive back
106        reference to become recursive if a later named group with the relevant
107        number is encountered. This could lead to a buffer overflow. Wen Guanxing
108        from Venustech ADLAB discovered this bug.
109    
110    28. If pcregrep was given the -q option with -c or -l, or when handling a
111        binary file, it incorrectly wrote output to stdout.
112    
113    29. The JIT compiler did not restore the control verb head in case of *THEN
114        control verbs. This issue was found by Karl Skomski with a custom LLVM
115        fuzzer.
116    
117    30. Error messages for syntax errors following \g and \k were giving inaccurate
118        offsets in the pattern.
119    
120    31. Added a check for integer overflow in conditions (?(<digits>) and
121        (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
122        fuzzer.
123    
124    32. Handling recursive references such as (?2) when the reference is to a group
125        later in the pattern uses code that is very hacked about and error-prone.
126        It has been re-written for PCRE2. Here in PCRE1, a check has been added to
127        give an internal error if it is obvious that compiling has gone wrong.
128    
129    33. The JIT compiler should not check repeats after a {0,1} repeat byte code.
130        This issue was found by Karl Skomski with a custom LLVM fuzzer.
131    
132    
133    Version 8.37 28-April-2015
134    --------------------------
135    
136    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
137        for those parentheses to be closed with whatever has been captured so far.
138        However, it was failing to mark any other groups between the hightest
139        capture so far and the currrent group as "unset". Thus, the ovector for
140        those groups contained whatever was previously there. An example is the
141        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
142    
143    2.  If an assertion condition was quantified with a minimum of zero (an odd
144        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
145    
146    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
147        unrecognized modifier, a crash could occur.
148    
149    4.  An attempt to do global matching in pcretest with a zero-length ovector
150        caused a crash.
151    
152    5.  Fixed a memory leak during matching that could occur for a subpattern
153        subroutine call (recursive or otherwise) if the number of captured groups
154        that had to be saved was greater than ten.
155    
156    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
157        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
158        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
159    
160    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
161        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
162    
163    8. When a pattern is compiled, it remembers the highest back reference so that
164       when matching, if the ovector is too small, extra memory can be obtained to
165       use instead. A conditional subpattern whose condition is a check on a
166       capture having happened, such as, for example in the pattern
167       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
168       setting the highest backreference number. This mattered only if pcre_exec()
169       was called with an ovector that was too small to hold the capture, and there
170       was no other kind of back reference (a situation which is probably quite
171       rare). The effect of the bug was that the condition was always treated as
172       FALSE when the capture could not be consulted, leading to a incorrect
173       behaviour by pcre_exec(). This bug has been fixed.
174    
175    9. A reference to a duplicated named group (either a back reference or a test
176       for being set in a conditional) that occurred in a part of the pattern where
177       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
178       to be incorrectly calculated, leading to overwriting.
179    
180    10. A mutually recursive set of back references such as (\2)(\1) caused a
181        segfault at study time (while trying to find the minimum matching length).
182        The infinite loop is now broken (with the minimum length unset, that is,
183        zero).
184    
185    11. If an assertion that was used as a condition was quantified with a minimum
186        of zero, matching went wrong. In particular, if the whole group had
187        unlimited repetition and could match an empty string, a segfault was
188        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
189        assertions to be quantified, but not if they are being used as conditions,
190        so the above pattern is faulted by Perl. PCRE has now been changed so that
191        it also rejects such patterns.
192    
193    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
194        failed to allow the zero-repeat case if pcre2_exec() was called with an
195        ovector too small to capture the group.
196    
197    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
198        Red Hat Product Security:
199    
200        (a) A crash if /K and /F were both set with the option to save the compiled
201        pattern.
202    
203        (b) Another crash if the option to print captured substrings in a callout
204        was combined with setting a null ovector, for example \O\C+ as a subject
205        string.
206    
207    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
208        forward reference repeated a large (but limited) number of times within a
209        repeated outer group that has a zero minimum quantifier, caused incorrect
210        code to be compiled, leading to the error "internal error:
211        previously-checked referenced subpattern not found" when an incorrect
212        memory address was read. This bug was reported as "heap overflow",
213        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
214        CVE-2015-2325.
215    
216    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
217        call within a group that also contained a recursive back reference caused
218        incorrect code to be compiled. This bug was reported as "heap overflow",
219        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
220        number CVE-2015-2326.
221    
222    24. Computing the size of the JIT read-only data in advance has been a source
223        of various issues, and new ones are still appear unfortunately. To fix
224        existing and future issues, size computation is eliminated from the code,
225        and replaced by on-demand memory allocation.
226    
227    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
228        adjacent to the end of the range, and the range contained characters with
229        more than one other case, caused incorrect behaviour when compiled in UTF
230        mode. In that example, the range a-j was left out of the class.
231    
232    26. Fix JIT compilation of conditional blocks, which assertion
233        is converted to (*FAIL). E.g: /(?(?!))/.
234    
235    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
236        discovered by the LLVM fuzzer.
237    
238    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
239        when this assertion was used as a condition, for example (?(?!)a|b). In
240        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
241        error about an unsupported item.
242    
243    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
244        possessification code could take exponential time to complete. A recursion
245        depth limit of 1000 has been imposed to limit the resources used by this
246        optimization.
247    
248    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
249        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
250        because \S ensures they are all in the class. The code for doing this was
251        interacting badly with the code for computing the amount of space needed to
252        compile the pattern, leading to a buffer overflow. This bug was discovered
253        by the LLVM fuzzer.
254    
255    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
256        other kinds of group caused stack overflow at compile time. This bug was
257        discovered by the LLVM fuzzer.
258    
259    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
260        between a subroutine call and its quantifier was incorrectly compiled,
261        leading to buffer overflow or other errors. This bug was discovered by the
262        LLVM fuzzer.
263    
264    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
265        assertion after (?(. The code was failing to check the character after
266        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
267        was discovered by the LLVM fuzzer.
268    
269    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
270        a fixed maximum following a group that contains a subroutine reference was
271        incorrectly compiled and could trigger buffer overflow. This bug was
272        discovered by the LLVM fuzzer.
273    
274    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
275        caused a stack overflow instead of the diagnosis of a non-fixed length
276        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
277    
278    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
279        (e.g. /(?<=\Ka)/) could make pcregrep loop.
280    
281    37. There was a similar problem to 36 in pcretest for global matches.
282    
283    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
284        and a subsequent item in the pattern caused a non-match, backtracking over
285        the repeated \X did not stop, but carried on past the start of the subject,
286        causing reference to random memory and/or a segfault. There were also some
287        other cases where backtracking after \C could crash. This set of bugs was
288        discovered by the LLVM fuzzer.
289    
290    39. The function for finding the minimum length of a matching string could take
291        a very long time if mutual recursion was present many times in a pattern,
292        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
293        method has been implemented. This infelicity was discovered by the LLVM
294        fuzzer.
295    
296    40. Static linking against the PCRE library using the pkg-config module was
297        failing on missing pthread symbols.
298    
299    
300    Version 8.36 26-September-2014
301    ------------------------------
302    
303    1.  Got rid of some compiler warnings in the C++ modules that were shown up by
304        -Wmissing-field-initializers and -Wunused-parameter.
305    
306    2.  The tests for quantifiers being too big (greater than 65535) were being
307        applied after reading the number, and stupidly assuming that integer
308        overflow would give a negative number. The tests are now applied as the
309        numbers are read.
310    
311    3.  Tidy code in pcre_exec.c where two branches that used to be different are
312        now the same.
313    
314    4.  The JIT compiler did not generate match limit checks for certain
315        bracketed expressions with quantifiers. This may lead to exponential
316        backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
317        issue should be resolved now.
318    
319    5.  Fixed an issue, which occures when nested alternatives are optimized
320        with table jumps.
321    
322    6.  Inserted two casts and changed some ints to size_t in the light of some
323        reported 64-bit compiler warnings (Bugzilla 1477).
324    
325    7.  Fixed a bug concerned with zero-minimum possessive groups that could match
326        an empty string, which sometimes were behaving incorrectly in the
327        interpreter (though correctly in the JIT matcher). This pcretest input is
328        an example:
329    
330          '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
331          NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
332    
333        the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
334        JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
335        for an empty string was breaking the inner loop and carrying on at a lower
336        level, when possessive repeated groups should always return to a higher
337        level as they have no backtrack points in them. The empty string test now
338        occurs at the outer level.
339    
340    8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
341        ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
342    
343    9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
344        doesn't).
345    
346    10. Change 8.34/15 introduced a bug that caused the amount of memory needed
347        to hold a pattern to be incorrectly computed (too small) when there were
348        named back references to duplicated names. This could cause "internal
349        error: code overflow" or "double free or corruption" or other memory
350        handling errors.
351    
352    11. When named subpatterns had the same prefixes, back references could be
353        confused. For example, in this pattern:
354    
355          /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
356    
357        the reference to 'Name' was incorrectly treated as a reference to a
358        duplicate name.
359    
360    12. A pattern such as /^s?c/mi8 where the optional character has more than
361        one "other case" was incorrectly compiled such that it would only try to
362        match starting at "c".
363    
364    13. When a pattern starting with \s was studied, VT was not included in the
365        list of possible starting characters; this should have been part of the
366        8.34/18 patch.
367    
368    14. If a character class started [\Qx]... where x is any character, the class
369        was incorrectly terminated at the ].
370    
371    15. If a pattern that started with a caseless match for a character with more
372        than one "other case" was studied, PCRE did not set up the starting code
373        unit bit map for the list of possible characters. Now it does. This is an
374        optimization improvement, not a bug fix.
375    
376    16. The Unicode data tables have been updated to Unicode 7.0.0.
377    
378    17. Fixed a number of memory leaks in pcregrep.
379    
380    18. Avoid a compiler warning (from some compilers) for a function call with
381        a cast that removes "const" from an lvalue by using an intermediate
382        variable (to which the compiler does not object).
383    
384    19. Incorrect code was compiled if a group that contained an internal recursive
385        back reference was optional (had quantifier with a minimum of zero). This
386        example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
387        caused segmentation faults because of stack overflows at compile time.
388    
389    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
390        group that is quantified with an indefinite repeat, caused a compile-time
391        loop which used up all the system stack and provoked a segmentation fault.
392        This was not the same bug as 19 above.
393    
394    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
395        Patch by Mike Frysinger.
396    
397    
398    Version 8.35 04-April-2014
399    --------------------------
400    
401  1.  A new flag is set, when property checks are present in an XCLASS.  1.  A new flag is set, when property checks are present in an XCLASS.
402      When this flag is not set, PCRE can perform certain optimizations      When this flag is not set, PCRE can perform certain optimizations
# Line 27  Version 8.35-RC1 xx-xxxx-201x Line 421  Version 8.35-RC1 xx-xxxx-201x
421    
422  6.  Improve character range checks in JIT. Characters are read by an inprecise  6.  Improve character range checks in JIT. Characters are read by an inprecise
423      function now, which returns with an unknown value if the character code is      function now, which returns with an unknown value if the character code is
424      above a certain treshold (e.g: 256). The only limitation is that the value      above a certain threshold (e.g: 256). The only limitation is that the value
425      must be bigger than the treshold as well. This function is useful, when      must be bigger than the threshold as well. This function is useful when
426      the characters above the treshold are handled in the same way.      the characters above the threshold are handled in the same way.
427    
428  7.  The macros whose names start with RAWUCHAR are placeholders for a future  7.  The macros whose names start with RAWUCHAR are placeholders for a future
429      mode in which only the bottom 21 bits of 32-bit data items are used. To      mode in which only the bottom 21 bits of 32-bit data items are used. To
430      make this more memorable for those maintaining the code, the names have      make this more memorable for those maintaining the code, the names have
431      been changed to start with UCHAR21, and an extensive comment has been added      been changed to start with UCHAR21, and an extensive comment has been added
432      to their definition.      to their definition.
433    
434    8.  Add missing (new) files sljitNativeTILEGX.c and sljitNativeTILEGX-encoder.c
435        to the export list in Makefile.am (they were accidentally omitted from the
436        8.34 tarball).
437    
438    9.  The informational output from pcretest used the phrase "starting byte set"
439        which is inappropriate for the 16-bit and 32-bit libraries. As the output
440        for "first char" and "need char" really means "non-UTF-char", I've changed
441        "byte" to "char", and slightly reworded the output. The documentation about
442        these values has also been (I hope) clarified.
443    
444    10. Another JIT related optimization: use table jumps for selecting the correct
445        backtracking path, when more than four alternatives are present inside a
446        bracket.
447    
448    11. Empty match is not possible, when the minimum length is greater than zero,
449        and there is no \K in the pattern. JIT should avoid empty match checks in
450        such cases.
451    
452    12. In a caseless character class with UCP support, when a character with more
453        than one alternative case was not the first character of a range, not all
454        the alternative cases were added to the class. For example, s and \x{17f}
455        are both alternative cases for S: the class [RST] was handled correctly,
456        but [R-T] was not.
457    
458    13. The configure.ac file always checked for pthread support when JIT was
459        enabled. This is not used in Windows, so I have put this test inside a
460        check for the presence of windows.h (which was already tested for).
461    
462    14. Improve pattern prefix search by a simplified Boyer-Moore algorithm in JIT.
463        The algorithm provides a way to skip certain starting offsets, and usually
464        faster than linear prefix searches.
465    
466    15. Change 13 for 8.20 updated RunTest to check for the 'fr' locale as well
467        as for 'fr_FR' and 'french'. For some reason, however, it then used the
468        Windows-specific input and output files, which have 'french' screwed in.
469        So this could never have worked. One of the problems with locales is that
470        they aren't always the same. I have now updated RunTest so that it checks
471        the output of the locale test (test 3) against three different output
472        files, and it allows the test to pass if any one of them matches. With luck
473        this should make the test pass on some versions of Solaris where it was
474        failing. Because of the uncertainty, the script did not used to stop if
475        test 3 failed; it now does. If further versions of a French locale ever
476        come to light, they can now easily be added.
477    
478    16. If --with-pcregrep-bufsize was given a non-integer value such as "50K",
479        there was a message during ./configure, but it did not stop. This now
480        provokes an error. The invalid example in README has been corrected.
481        If a value less than the minimum is given, the minimum value has always
482        been used, but now a warning is given.
483    
484    17. If --enable-bsr-anycrlf was set, the special 16/32-bit test failed. This
485        was a bug in the test system, which is now fixed. Also, the list of various
486        configurations that are tested for each release did not have one with both
487        16/32 bits and --enable-bar-anycrlf. It now does.
488    
489    18. pcretest was missing "-C bsr" for displaying the \R default setting.
490    
491    19. Little endian PowerPC systems are supported now by the JIT compiler.
492    
493    20. The fast forward newline mechanism could enter to an infinite loop on
494        certain invalid UTF-8 input. Although we don't support these cases
495        this issue can be fixed by a performance optimization.
496    
497    21. Change 33 of 8.34 is not sufficient to ensure stack safety because it does
498        not take account if existing stack usage. There is now a new global
499        variable called pcre_stack_guard that can be set to point to an external
500        function to check stack availability. It is called at the start of
501        processing every parenthesized group.
502    
503    22. A typo in the code meant that in ungreedy mode the max/min qualifier
504        behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did
505        not match "ab".
506    
507    23. When UTF was disabled, the JIT program reported some incorrect compile
508        errors. These messages are silenced now.
509    
510    24. Experimental support for ARM-64 and MIPS-64 has been added to the JIT
511        compiler.
512    
513    25. Change all the temporary files used in RunGrepTest to be different to those
514        used by RunTest so that the tests can be run simultaneously, for example by
515        "make -j check".
516    
517    
518  Version 8.34 15-December-2013  Version 8.34 15-December-2013

Legend:
Removed from v.1431  
changed lines
  Added in v.1591

  ViewVC Help
Powered by ViewVC 1.1.5