/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1496 by ph10, Fri Jul 18 08:24:35 2014 UTC revision 1599 by zherczeg, Wed Sep 2 08:50:31 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.36 xx-xxx-2014  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5    development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8  ------------------------  ------------------------
9    
10    1.  If a group that contained a recursive back reference also contained a
11        forward reference subroutine call followed by a non-forward-reference
12        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13        compile correct code, leading to undefined behaviour or an internally
14        detected error. This bug was discovered by the LLVM fuzzer.
15    
16    2.  Quantification of certain items (e.g. atomic back references) could cause
17        incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21    3.  A repeated conditional group whose condition was a reference by name caused
22        a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25    4.  A recursive back reference by name within a group that had the same name as
26        another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    10. There was a buffer overflow if pcre_exec() was called with an ovector of
49        size 1. This bug was found by american fuzzy lop.
50    
51    11. If a non-capturing group containing a conditional group that could match
52        an empty string was repeated, it was not identified as matching an empty
53        string itself. For example: /^(?:(?(1)x|)+)+$()/.
54    
55    12. In an EBCDIC environment, pcretest was mishandling the escape sequences
56        \a and \e in test subject lines.
57    
58    13. In an EBCDIC environment, \a in a pattern was converted to the ASCII
59        instead of the EBCDIC value.
60    
61    14. The handling of \c in an EBCDIC environment has been revised so that it is
62        now compatible with the specification in Perl's perlebcdic page.
63    
64    15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in
65        ASCII/Unicode. This has now been added to the list of characters that are
66        recognized as white space in EBCDIC.
67    
68    16. When PCRE was compiled without UCP support, the use of \p and \P gave an
69        error (correctly) when used outside a class, but did not give an error
70        within a class.
71    
72    17. \h within a class was incorrectly compiled in EBCDIC environments.
73    
74    18. A pattern with an unmatched closing parenthesis that contained a backward
75        assertion which itself contained a forward reference caused buffer
76        overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.
77    
78    19. JIT should return with error when the compiled pattern requires more stack
79        space than the maximum.
80    
81    20. A possessively repeated conditional group that could match an empty string,
82        for example, /(?(R))*+/, was incorrectly compiled.
83    
84    21. Fix infinite recursion in the JIT compiler when certain patterns such as
85        /(?:|a|){100}x/ are analysed.
86    
87    22. Some patterns with character classes involving [: and \\ were incorrectly
88        compiled and could cause reading from uninitialized memory or an incorrect
89        error diagnosis.
90    
91    23. Pathological patterns containing many nested occurrences of [: caused
92        pcre_compile() to run for a very long time.
93    
94    24. A conditional group with only one branch has an implicit empty alternative
95        branch and must therefore be treated as potentially matching an empty
96        string.
97    
98    25. If (?R was followed by - or + incorrect behaviour happened instead of a
99        diagnostic.
100    
101    26. Arrange to give up on finding the minimum matching length for overly
102        complex patterns.
103    
104    27. Similar to (4) above: in a pattern with duplicated named groups and an
105        occurrence of (?| it is possible for an apparently non-recursive back
106        reference to become recursive if a later named group with the relevant
107        number is encountered. This could lead to a buffer overflow. Wen Guanxing
108        from Venustech ADLAB discovered this bug.
109    
110    28. If pcregrep was given the -q option with -c or -l, or when handling a
111        binary file, it incorrectly wrote output to stdout.
112    
113    29. The JIT compiler did not restore the control verb head in case of *THEN
114        control verbs. This issue was found by Karl Skomski with a custom LLVM
115        fuzzer.
116    
117    30. Error messages for syntax errors following \g and \k were giving inaccurate
118        offsets in the pattern.
119    
120    31. Added a check for integer overflow in conditions (?(<digits>) and
121        (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
122        fuzzer.
123    
124    32. Handling recursive references such as (?2) when the reference is to a group
125        later in the pattern uses code that is very hacked about and error-prone.
126        It has been re-written for PCRE2. Here in PCRE1, a check has been added to
127        give an internal error if it is obvious that compiling has gone wrong.
128    
129    33. The JIT compiler should not check repeats after a {0,1} repeat byte code.
130        This issue was found by Karl Skomski with a custom LLVM fuzzer.
131    
132    34. The JIT compiler should restore the control chain for empty possessive
133        repeats. This issue was found by Karl Skomski with a custom LLVM fuzzer.
134    
135    35. Match limit check added to JIT recursion. This issue was found by Karl
136        Skomski with a custom LLVM fuzzer.
137    
138    36. Yet another case similar to 27 above has been circumvented by an
139        unconditional allocation of extra memory. This issue is fixed "properly" in
140        PCRE2 by refactoring the way references are handled. Wen Guanxing
141        from Venustech ADLAB discovered this bug.
142    
143    37. Fix two assertion fails in JIT. These issues were found by Karl Skomski
144        with a custom LLVM fuzzer.
145    
146    38. Fixed a corner case of range optimization in JIT.
147    
148    39. An incorrect error "overran compiling workspace" was given if there were
149        exactly enough group forward references such that the last one extended
150        into the workspace safety margin. The next one would have expanded the
151        workspace. The test for overflow was not including the safety margin.
152    
153    40. A match limit issue is fixed in JIT which was found by Karl Skomski
154        with a custom LLVM fuzzer.
155    
156    
157    Version 8.37 28-April-2015
158    --------------------------
159    
160    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
161        for those parentheses to be closed with whatever has been captured so far.
162        However, it was failing to mark any other groups between the hightest
163        capture so far and the currrent group as "unset". Thus, the ovector for
164        those groups contained whatever was previously there. An example is the
165        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
166    
167    2.  If an assertion condition was quantified with a minimum of zero (an odd
168        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
169    
170    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
171        unrecognized modifier, a crash could occur.
172    
173    4.  An attempt to do global matching in pcretest with a zero-length ovector
174        caused a crash.
175    
176    5.  Fixed a memory leak during matching that could occur for a subpattern
177        subroutine call (recursive or otherwise) if the number of captured groups
178        that had to be saved was greater than ten.
179    
180    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
181        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
182        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
183    
184    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
185        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
186    
187    8. When a pattern is compiled, it remembers the highest back reference so that
188       when matching, if the ovector is too small, extra memory can be obtained to
189       use instead. A conditional subpattern whose condition is a check on a
190       capture having happened, such as, for example in the pattern
191       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
192       setting the highest backreference number. This mattered only if pcre_exec()
193       was called with an ovector that was too small to hold the capture, and there
194       was no other kind of back reference (a situation which is probably quite
195       rare). The effect of the bug was that the condition was always treated as
196       FALSE when the capture could not be consulted, leading to a incorrect
197       behaviour by pcre_exec(). This bug has been fixed.
198    
199    9. A reference to a duplicated named group (either a back reference or a test
200       for being set in a conditional) that occurred in a part of the pattern where
201       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
202       to be incorrectly calculated, leading to overwriting.
203    
204    10. A mutually recursive set of back references such as (\2)(\1) caused a
205        segfault at study time (while trying to find the minimum matching length).
206        The infinite loop is now broken (with the minimum length unset, that is,
207        zero).
208    
209    11. If an assertion that was used as a condition was quantified with a minimum
210        of zero, matching went wrong. In particular, if the whole group had
211        unlimited repetition and could match an empty string, a segfault was
212        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
213        assertions to be quantified, but not if they are being used as conditions,
214        so the above pattern is faulted by Perl. PCRE has now been changed so that
215        it also rejects such patterns.
216    
217    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
218        failed to allow the zero-repeat case if pcre2_exec() was called with an
219        ovector too small to capture the group.
220    
221    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
222        Red Hat Product Security:
223    
224        (a) A crash if /K and /F were both set with the option to save the compiled
225        pattern.
226    
227        (b) Another crash if the option to print captured substrings in a callout
228        was combined with setting a null ovector, for example \O\C+ as a subject
229        string.
230    
231    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
232        forward reference repeated a large (but limited) number of times within a
233        repeated outer group that has a zero minimum quantifier, caused incorrect
234        code to be compiled, leading to the error "internal error:
235        previously-checked referenced subpattern not found" when an incorrect
236        memory address was read. This bug was reported as "heap overflow",
237        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
238        CVE-2015-2325.
239    
240    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
241        call within a group that also contained a recursive back reference caused
242        incorrect code to be compiled. This bug was reported as "heap overflow",
243        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
244        number CVE-2015-2326.
245    
246    24. Computing the size of the JIT read-only data in advance has been a source
247        of various issues, and new ones are still appear unfortunately. To fix
248        existing and future issues, size computation is eliminated from the code,
249        and replaced by on-demand memory allocation.
250    
251    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
252        adjacent to the end of the range, and the range contained characters with
253        more than one other case, caused incorrect behaviour when compiled in UTF
254        mode. In that example, the range a-j was left out of the class.
255    
256    26. Fix JIT compilation of conditional blocks, which assertion
257        is converted to (*FAIL). E.g: /(?(?!))/.
258    
259    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
260        discovered by the LLVM fuzzer.
261    
262    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
263        when this assertion was used as a condition, for example (?(?!)a|b). In
264        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
265        error about an unsupported item.
266    
267    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
268        possessification code could take exponential time to complete. A recursion
269        depth limit of 1000 has been imposed to limit the resources used by this
270        optimization.
271    
272    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
273        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
274        because \S ensures they are all in the class. The code for doing this was
275        interacting badly with the code for computing the amount of space needed to
276        compile the pattern, leading to a buffer overflow. This bug was discovered
277        by the LLVM fuzzer.
278    
279    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
280        other kinds of group caused stack overflow at compile time. This bug was
281        discovered by the LLVM fuzzer.
282    
283    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
284        between a subroutine call and its quantifier was incorrectly compiled,
285        leading to buffer overflow or other errors. This bug was discovered by the
286        LLVM fuzzer.
287    
288    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
289        assertion after (?(. The code was failing to check the character after
290        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
291        was discovered by the LLVM fuzzer.
292    
293    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
294        a fixed maximum following a group that contains a subroutine reference was
295        incorrectly compiled and could trigger buffer overflow. This bug was
296        discovered by the LLVM fuzzer.
297    
298    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
299        caused a stack overflow instead of the diagnosis of a non-fixed length
300        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
301    
302    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
303        (e.g. /(?<=\Ka)/) could make pcregrep loop.
304    
305    37. There was a similar problem to 36 in pcretest for global matches.
306    
307    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
308        and a subsequent item in the pattern caused a non-match, backtracking over
309        the repeated \X did not stop, but carried on past the start of the subject,
310        causing reference to random memory and/or a segfault. There were also some
311        other cases where backtracking after \C could crash. This set of bugs was
312        discovered by the LLVM fuzzer.
313    
314    39. The function for finding the minimum length of a matching string could take
315        a very long time if mutual recursion was present many times in a pattern,
316        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
317        method has been implemented. This infelicity was discovered by the LLVM
318        fuzzer.
319    
320    40. Static linking against the PCRE library using the pkg-config module was
321        failing on missing pthread symbols.
322    
323    
324    Version 8.36 26-September-2014
325    ------------------------------
326    
327  1.  Got rid of some compiler warnings in the C++ modules that were shown up by  1.  Got rid of some compiler warnings in the C++ modules that were shown up by
328      -Wmissing-field-initializers and -Wunused-parameter.      -Wmissing-field-initializers and -Wunused-parameter.
329    
330  2.  The tests for quantifiers being too big (greater than 65535) were being  2.  The tests for quantifiers being too big (greater than 65535) were being
331      applied after reading the number, and stupidly assuming that integer      applied after reading the number, and stupidly assuming that integer
332      overflow would give a negative number. The tests are now applied as the      overflow would give a negative number. The tests are now applied as the
333      numbers are read.      numbers are read.
334    
335  3.  Tidy code in pcre_exec.c where two branches that used to be different are  3.  Tidy code in pcre_exec.c where two branches that used to be different are
336      now the same.      now the same.
337    
338  4.  The JIT compiler did not generate match limit checks for certain  4.  The JIT compiler did not generate match limit checks for certain
339      bracketed expressions with quantifiers. This may lead to exponential      bracketed expressions with quantifiers. This may lead to exponential
# Line 22  Version 8.36 xx-xxx-2014 Line 342  Version 8.36 xx-xxx-2014
342    
343  5.  Fixed an issue, which occures when nested alternatives are optimized  5.  Fixed an issue, which occures when nested alternatives are optimized
344      with table jumps.      with table jumps.
345    
346  6.  Inserted two casts and changed some ints to size_t in the light of some  6.  Inserted two casts and changed some ints to size_t in the light of some
347      reported 64-bit compiler warnings (Bugzilla 1477).      reported 64-bit compiler warnings (Bugzilla 1477).
348    
349  7.  Fixed a bug concerned with zero-minimum possessive groups that could match  7.  Fixed a bug concerned with zero-minimum possessive groups that could match
350      an empty string, which sometimes were behaving incorrectly in the      an empty string, which sometimes were behaving incorrectly in the
351      interpreter (though correctly in the JIT matcher). This pcretest input is      interpreter (though correctly in the JIT matcher). This pcretest input is
352      an example:      an example:
353    
354        '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'        '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
355        NON QUOTED "QUOT""ED" AFTER "NOT MATCHED        NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
356    
357      the interpreter was reporting a match of 'NON QUOTED ' only, whereas the      the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
358      JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test      JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
359      for an empty string was breaking the inner loop and carrying on at a lower      for an empty string was breaking the inner loop and carrying on at a lower
360      level, when possessive repeated groups should always return to a higher      level, when possessive repeated groups should always return to a higher
361      level as they have no backtrack points in them. The empty string test now      level as they have no backtrack points in them. The empty string test now
362      occurs at the outer level.      occurs at the outer level.
363    
364  8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern  8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
365      ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".      ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
366    
367  9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl  9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
368      doesn't).      doesn't).
369    
370  10. Change 8.34/15 introduced a bug that caused the amount of memory needed  10. Change 8.34/15 introduced a bug that caused the amount of memory needed
371      to hold a pattern to be incorrectly computed (too small) when there were      to hold a pattern to be incorrectly computed (too small) when there were
372      named back references to duplicated names. This could cause "internal      named back references to duplicated names. This could cause "internal
373      error: code overflow" or "double free or corruption" or other memory      error: code overflow" or "double free or corruption" or other memory
374      handling errors.      handling errors.
375    
376  11. When named subpatterns had the same prefixes, back references could be  11. When named subpatterns had the same prefixes, back references could be
377      confused. For example, in this pattern:      confused. For example, in this pattern:
378    
379        /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/        /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
380    
381      the reference to 'Name' was incorrectly treated as a reference to a      the reference to 'Name' was incorrectly treated as a reference to a
382      duplicate name.      duplicate name.
383    
384  12. A pattern such as /^s?c/mi8 where the optional character has more than  12. A pattern such as /^s?c/mi8 where the optional character has more than
385      one "other case" was incorrectly compiled such that it would only try to      one "other case" was incorrectly compiled such that it would only try to
386      match starting at "c".      match starting at "c".
387    
388  13. When a pattern starting with \s was studied, VT was not included in the  13. When a pattern starting with \s was studied, VT was not included in the
389      list of possible starting characters; this should have been part of the      list of possible starting characters; this should have been part of the
390      8.34/18 patch.      8.34/18 patch.
391    
392  14. If a character class started [\Qx]... where x is any character, the class  14. If a character class started [\Qx]... where x is any character, the class
393      was incorrectly terminated at the ].      was incorrectly terminated at the ].
394    
395  15. If a pattern that started with a caseless match for a character with more  15. If a pattern that started with a caseless match for a character with more
396      than one "other case" was studied, PCRE did not set up the starting code      than one "other case" was studied, PCRE did not set up the starting code
397      unit bit map for the list of possible characters. Now it does. This is an      unit bit map for the list of possible characters. Now it does. This is an
398      optimization improvement, not a bug fix.      optimization improvement, not a bug fix.
399    
400  16. The Unicode data tables have been updated to Unicode 7.0.0.  16. The Unicode data tables have been updated to Unicode 7.0.0.
# Line 82  Version 8.36 xx-xxx-2014 Line 402  Version 8.36 xx-xxx-2014
402  17. Fixed a number of memory leaks in pcregrep.  17. Fixed a number of memory leaks in pcregrep.
403    
404  18. Avoid a compiler warning (from some compilers) for a function call with  18. Avoid a compiler warning (from some compilers) for a function call with
405      a cast that removes "const" from an lvalue by using an intermediate      a cast that removes "const" from an lvalue by using an intermediate
406      variable (to which the compiler does not object).      variable (to which the compiler does not object).
407    
408  19. Incorrect code was compiled if a group that contained an internal recursive  19. Incorrect code was compiled if a group that contained an internal recursive
409      back reference was optional (had quantifier with a minimum of zero). This      back reference was optional (had quantifier with a minimum of zero). This
410      example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples      example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
411      caused segmentation faults because of stack overflows at compile time.      caused segmentation faults because of stack overflows at compile time.
412    
413    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
414        group that is quantified with an indefinite repeat, caused a compile-time
415        loop which used up all the system stack and provoked a segmentation fault.
416        This was not the same bug as 19 above.
417    
418    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
419        Patch by Mike Frysinger.
420    
421    
422  Version 8.35 04-April-2014  Version 8.35 04-April-2014

Legend:
Removed from v.1496  
changed lines
  Added in v.1599

  ViewVC Help
Powered by ViewVC 1.1.5