/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1496 by ph10, Fri Jul 18 08:24:35 2014 UTC revision 1556 by ph10, Thu May 7 16:31:58 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.36 xx-xxx-2014  Version 8.38 xx-xxx-xxxx
5  ------------------------  ------------------------
6    
7    1.  If a group that contained a recursive back reference also contained a
8        forward reference subroutine call followed by a non-forward-reference
9        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
10        compile correct code, leading to undefined behaviour or an internally
11        detected error. This bug was discovered by the LLVM fuzzer.
12    
13    2.  Quantification of certain items (e.g. atomic back references) could cause
14        incorrect code to be compiled when recursive forward references were
15        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
16        This bug was discovered by the LLVM fuzzer.
17    
18    
19    Version 8.37 28-April-2015
20    --------------------------
21    
22    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
23        for those parentheses to be closed with whatever has been captured so far.
24        However, it was failing to mark any other groups between the hightest
25        capture so far and the currrent group as "unset". Thus, the ovector for
26        those groups contained whatever was previously there. An example is the
27        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
28    
29    2.  If an assertion condition was quantified with a minimum of zero (an odd
30        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
31    
32    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
33        unrecognized modifier, a crash could occur.
34    
35    4.  An attempt to do global matching in pcretest with a zero-length ovector
36        caused a crash.
37    
38    5.  Fixed a memory leak during matching that could occur for a subpattern
39        subroutine call (recursive or otherwise) if the number of captured groups
40        that had to be saved was greater than ten.
41    
42    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
43        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
44        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
45    
46    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
47        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
48    
49    8. When a pattern is compiled, it remembers the highest back reference so that
50       when matching, if the ovector is too small, extra memory can be obtained to
51       use instead. A conditional subpattern whose condition is a check on a
52       capture having happened, such as, for example in the pattern
53       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
54       setting the highest backreference number. This mattered only if pcre_exec()
55       was called with an ovector that was too small to hold the capture, and there
56       was no other kind of back reference (a situation which is probably quite
57       rare). The effect of the bug was that the condition was always treated as
58       FALSE when the capture could not be consulted, leading to a incorrect
59       behaviour by pcre_exec(). This bug has been fixed.
60    
61    9. A reference to a duplicated named group (either a back reference or a test
62       for being set in a conditional) that occurred in a part of the pattern where
63       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
64       to be incorrectly calculated, leading to overwriting.
65    
66    10. A mutually recursive set of back references such as (\2)(\1) caused a
67        segfault at study time (while trying to find the minimum matching length).
68        The infinite loop is now broken (with the minimum length unset, that is,
69        zero).
70    
71    11. If an assertion that was used as a condition was quantified with a minimum
72        of zero, matching went wrong. In particular, if the whole group had
73        unlimited repetition and could match an empty string, a segfault was
74        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
75        assertions to be quantified, but not if they are being used as conditions,
76        so the above pattern is faulted by Perl. PCRE has now been changed so that
77        it also rejects such patterns.
78    
79    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
80        failed to allow the zero-repeat case if pcre2_exec() was called with an
81        ovector too small to capture the group.
82    
83    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
84        Red Hat Product Security:
85    
86        (a) A crash if /K and /F were both set with the option to save the compiled
87        pattern.
88    
89        (b) Another crash if the option to print captured substrings in a callout
90        was combined with setting a null ovector, for example \O\C+ as a subject
91        string.
92    
93    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
94        forward reference repeated a large (but limited) number of times within a
95        repeated outer group that has a zero minimum quantifier, caused incorrect
96        code to be compiled, leading to the error "internal error:
97        previously-checked referenced subpattern not found" when an incorrect
98        memory address was read. This bug was reported as "heap overflow",
99        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
100        CVE-2015-2325.
101    
102    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
103        call within a group that also contained a recursive back reference caused
104        incorrect code to be compiled. This bug was reported as "heap overflow",
105        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
106        number CVE-2015-2326.
107    
108    24. Computing the size of the JIT read-only data in advance has been a source
109        of various issues, and new ones are still appear unfortunately. To fix
110        existing and future issues, size computation is eliminated from the code,
111        and replaced by on-demand memory allocation.
112    
113    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
114        adjacent to the end of the range, and the range contained characters with
115        more than one other case, caused incorrect behaviour when compiled in UTF
116        mode. In that example, the range a-j was left out of the class.
117    
118    26. Fix JIT compilation of conditional blocks, which assertion
119        is converted to (*FAIL). E.g: /(?(?!))/.
120    
121    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
122        discovered by the LLVM fuzzer.
123    
124    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
125        when this assertion was used as a condition, for example (?(?!)a|b). In
126        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
127        error about an unsupported item.
128    
129    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
130        possessification code could take exponential time to complete. A recursion
131        depth limit of 1000 has been imposed to limit the resources used by this
132        optimization.
133    
134    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
135        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
136        because \S ensures they are all in the class. The code for doing this was
137        interacting badly with the code for computing the amount of space needed to
138        compile the pattern, leading to a buffer overflow. This bug was discovered
139        by the LLVM fuzzer.
140    
141    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
142        other kinds of group caused stack overflow at compile time. This bug was
143        discovered by the LLVM fuzzer.
144    
145    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
146        between a subroutine call and its quantifier was incorrectly compiled,
147        leading to buffer overflow or other errors. This bug was discovered by the
148        LLVM fuzzer.
149    
150    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
151        assertion after (?(. The code was failing to check the character after
152        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
153        was discovered by the LLVM fuzzer.
154    
155    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
156        a fixed maximum following a group that contains a subroutine reference was
157        incorrectly compiled and could trigger buffer overflow. This bug was
158        discovered by the LLVM fuzzer.
159    
160    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
161        caused a stack overflow instead of the diagnosis of a non-fixed length
162        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
163    
164    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
165        (e.g. /(?<=\Ka)/) could make pcregrep loop.
166    
167    37. There was a similar problem to 36 in pcretest for global matches.
168    
169    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
170        and a subsequent item in the pattern caused a non-match, backtracking over
171        the repeated \X did not stop, but carried on past the start of the subject,
172        causing reference to random memory and/or a segfault. There were also some
173        other cases where backtracking after \C could crash. This set of bugs was
174        discovered by the LLVM fuzzer.
175    
176    39. The function for finding the minimum length of a matching string could take
177        a very long time if mutual recursion was present many times in a pattern,
178        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
179        method has been implemented. This infelicity was discovered by the LLVM
180        fuzzer.
181    
182    40. Static linking against the PCRE library using the pkg-config module was
183        failing on missing pthread symbols.
184    
185    
186    Version 8.36 26-September-2014
187    ------------------------------
188    
189  1.  Got rid of some compiler warnings in the C++ modules that were shown up by  1.  Got rid of some compiler warnings in the C++ modules that were shown up by
190      -Wmissing-field-initializers and -Wunused-parameter.      -Wmissing-field-initializers and -Wunused-parameter.
191    
192  2.  The tests for quantifiers being too big (greater than 65535) were being  2.  The tests for quantifiers being too big (greater than 65535) were being
193      applied after reading the number, and stupidly assuming that integer      applied after reading the number, and stupidly assuming that integer
194      overflow would give a negative number. The tests are now applied as the      overflow would give a negative number. The tests are now applied as the
195      numbers are read.      numbers are read.
196    
197  3.  Tidy code in pcre_exec.c where two branches that used to be different are  3.  Tidy code in pcre_exec.c where two branches that used to be different are
198      now the same.      now the same.
199    
200  4.  The JIT compiler did not generate match limit checks for certain  4.  The JIT compiler did not generate match limit checks for certain
201      bracketed expressions with quantifiers. This may lead to exponential      bracketed expressions with quantifiers. This may lead to exponential
# Line 22  Version 8.36 xx-xxx-2014 Line 204  Version 8.36 xx-xxx-2014
204    
205  5.  Fixed an issue, which occures when nested alternatives are optimized  5.  Fixed an issue, which occures when nested alternatives are optimized
206      with table jumps.      with table jumps.
207    
208  6.  Inserted two casts and changed some ints to size_t in the light of some  6.  Inserted two casts and changed some ints to size_t in the light of some
209      reported 64-bit compiler warnings (Bugzilla 1477).      reported 64-bit compiler warnings (Bugzilla 1477).
210    
211  7.  Fixed a bug concerned with zero-minimum possessive groups that could match  7.  Fixed a bug concerned with zero-minimum possessive groups that could match
212      an empty string, which sometimes were behaving incorrectly in the      an empty string, which sometimes were behaving incorrectly in the
213      interpreter (though correctly in the JIT matcher). This pcretest input is      interpreter (though correctly in the JIT matcher). This pcretest input is
214      an example:      an example:
215    
216        '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'        '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
217        NON QUOTED "QUOT""ED" AFTER "NOT MATCHED        NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
218    
219      the interpreter was reporting a match of 'NON QUOTED ' only, whereas the      the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
220      JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test      JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
221      for an empty string was breaking the inner loop and carrying on at a lower      for an empty string was breaking the inner loop and carrying on at a lower
222      level, when possessive repeated groups should always return to a higher      level, when possessive repeated groups should always return to a higher
223      level as they have no backtrack points in them. The empty string test now      level as they have no backtrack points in them. The empty string test now
224      occurs at the outer level.      occurs at the outer level.
225    
226  8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern  8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
227      ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".      ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
228    
229  9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl  9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
230      doesn't).      doesn't).
231    
232  10. Change 8.34/15 introduced a bug that caused the amount of memory needed  10. Change 8.34/15 introduced a bug that caused the amount of memory needed
233      to hold a pattern to be incorrectly computed (too small) when there were      to hold a pattern to be incorrectly computed (too small) when there were
234      named back references to duplicated names. This could cause "internal      named back references to duplicated names. This could cause "internal
235      error: code overflow" or "double free or corruption" or other memory      error: code overflow" or "double free or corruption" or other memory
236      handling errors.      handling errors.
237    
238  11. When named subpatterns had the same prefixes, back references could be  11. When named subpatterns had the same prefixes, back references could be
239      confused. For example, in this pattern:      confused. For example, in this pattern:
240    
241        /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/        /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
242    
243      the reference to 'Name' was incorrectly treated as a reference to a      the reference to 'Name' was incorrectly treated as a reference to a
244      duplicate name.      duplicate name.
245    
246  12. A pattern such as /^s?c/mi8 where the optional character has more than  12. A pattern such as /^s?c/mi8 where the optional character has more than
247      one "other case" was incorrectly compiled such that it would only try to      one "other case" was incorrectly compiled such that it would only try to
248      match starting at "c".      match starting at "c".
249    
250  13. When a pattern starting with \s was studied, VT was not included in the  13. When a pattern starting with \s was studied, VT was not included in the
251      list of possible starting characters; this should have been part of the      list of possible starting characters; this should have been part of the
252      8.34/18 patch.      8.34/18 patch.
253    
254  14. If a character class started [\Qx]... where x is any character, the class  14. If a character class started [\Qx]... where x is any character, the class
255      was incorrectly terminated at the ].      was incorrectly terminated at the ].
256    
257  15. If a pattern that started with a caseless match for a character with more  15. If a pattern that started with a caseless match for a character with more
258      than one "other case" was studied, PCRE did not set up the starting code      than one "other case" was studied, PCRE did not set up the starting code
259      unit bit map for the list of possible characters. Now it does. This is an      unit bit map for the list of possible characters. Now it does. This is an
260      optimization improvement, not a bug fix.      optimization improvement, not a bug fix.
261    
262  16. The Unicode data tables have been updated to Unicode 7.0.0.  16. The Unicode data tables have been updated to Unicode 7.0.0.
# Line 82  Version 8.36 xx-xxx-2014 Line 264  Version 8.36 xx-xxx-2014
264  17. Fixed a number of memory leaks in pcregrep.  17. Fixed a number of memory leaks in pcregrep.
265    
266  18. Avoid a compiler warning (from some compilers) for a function call with  18. Avoid a compiler warning (from some compilers) for a function call with
267      a cast that removes "const" from an lvalue by using an intermediate      a cast that removes "const" from an lvalue by using an intermediate
268      variable (to which the compiler does not object).      variable (to which the compiler does not object).
269    
270  19. Incorrect code was compiled if a group that contained an internal recursive  19. Incorrect code was compiled if a group that contained an internal recursive
271      back reference was optional (had quantifier with a minimum of zero). This      back reference was optional (had quantifier with a minimum of zero). This
272      example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples      example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
273      caused segmentation faults because of stack overflows at compile time.      caused segmentation faults because of stack overflows at compile time.
274    
275    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
276        group that is quantified with an indefinite repeat, caused a compile-time
277        loop which used up all the system stack and provoked a segmentation fault.
278        This was not the same bug as 19 above.
279    
280    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
281        Patch by Mike Frysinger.
282    
283    
284  Version 8.35 04-April-2014  Version 8.35 04-April-2014

Legend:
Removed from v.1496  
changed lines
  Added in v.1556

  ViewVC Help
Powered by ViewVC 1.1.5