/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1523 by ph10, Sun Feb 8 18:00:45 2015 UTC revision 1581 by ph10, Wed Jul 22 09:06:15 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.37 xx-xxx-2015  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5    development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8  ------------------------  ------------------------
9    
10  1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges  1.  If a group that contained a recursive back reference also contained a
11      for those parentheses to be closed with whatever has been captured so far.      forward reference subroutine call followed by a non-forward-reference
12      However, it was failing to mark any other groups between the hightest      subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13      capture so far and the currrent group as "unset". Thus, the ovector for      compile correct code, leading to undefined behaviour or an internally
14      those groups contained whatever was previously there. An example is the      detected error. This bug was discovered by the LLVM fuzzer.
     pattern /(x)|((*ACCEPT))/ when matched against "abcd".  
15    
16  2.  If an assertion condition was quantified with a minimum of zero (an odd  2.  Quantification of certain items (e.g. atomic back references) could cause
17      thing to do, but it happened), SIGSEGV or other misbehaviour could occur.      incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21  3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an  3.  A repeated conditional group whose condition was a reference by name caused
22      unrecognized modifier, a crash could occur.      a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25  4.  An attempt to do global matching in pcretest with a zero-length ovector  4.  A recursive back reference by name within a group that had the same name as
26      caused a crash.      another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    10. There was a buffer overflow if pcre_exec() was called with an ovector of
49        size 1. This bug was found by american fuzzy lop.
50    
51    11. If a non-capturing group containing a conditional group that could match
52        an empty string was repeated, it was not identified as matching an empty
53        string itself. For example: /^(?:(?(1)x|)+)+$()/.
54    
55    12. In an EBCDIC environment, pcretest was mishandling the escape sequences
56        \a and \e in test subject lines.
57    
58    13. In an EBCDIC environment, \a in a pattern was converted to the ASCII
59        instead of the EBCDIC value.
60    
61    14. The handling of \c in an EBCDIC environment has been revised so that it is
62        now compatible with the specification in Perl's perlebcdic page.
63    
64    15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in
65        ASCII/Unicode. This has now been added to the list of characters that are
66        recognized as white space in EBCDIC.
67    
68    16. When PCRE was compiled without UCP support, the use of \p and \P gave an
69        error (correctly) when used outside a class, but did not give an error
70        within a class.
71    
72    17. \h within a class was incorrectly compiled in EBCDIC environments.
73    
74    18. A pattern with an unmatched closing parenthesis that contained a backward
75        assertion which itself contained a forward reference caused buffer
76        overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.
77    
78    19. JIT should return with error when the compiled pattern requires more stack
79        space than the maximum.
80    
81    20. A possessively repeated conditional group that could match an empty string,
82        for example, /(?(R))*+/, was incorrectly compiled.
83    
84    21. Fix infinite recursion in the JIT compiler when certain patterns such as
85        /(?:|a|){100}x/ are analysed.
86    
87    22. Some patterns with character classes involving [: and \\ were incorrectly
88        compiled and could cause reading from uninitialized memory or an incorrect
89        error diagnosis.
90    
91    16. Pathological patterns containing many nested occurrences of [: caused
92        pcre_compile() to run for a very long time.
93    
94    17. A conditional group with only one branch has an implicit empty alternative
95        branch and must therefore be treated as potentially matching an empty
96        string.
97    
98    
99    Version 8.37 28-April-2015
100    --------------------------
101    
102    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
103        for those parentheses to be closed with whatever has been captured so far.
104        However, it was failing to mark any other groups between the hightest
105        capture so far and the currrent group as "unset". Thus, the ovector for
106        those groups contained whatever was previously there. An example is the
107        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
108    
109    2.  If an assertion condition was quantified with a minimum of zero (an odd
110        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
111    
112    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
113        unrecognized modifier, a crash could occur.
114    
115    4.  An attempt to do global matching in pcretest with a zero-length ovector
116        caused a crash.
117    
118  5.  Fixed a memory leak during matching that could occur for a subpattern  5.  Fixed a memory leak during matching that could occur for a subpattern
119      subroutine call (recursive or otherwise) if the number of captured groups      subroutine call (recursive or otherwise) if the number of captured groups
120      that had to be saved was greater than ten.      that had to be saved was greater than ten.
121    
122  6.  Catch a bad opcode during auto-possessification after compiling a bad UTF  6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
123      string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad      string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
124      UTF with NO_UTF_CHECK is documented as having an undefined outcome.      UTF with NO_UTF_CHECK is documented as having an undefined outcome.
125    
126  7.  A UTF pattern containing a "not" match of a non-ASCII character and a  7.  A UTF pattern containing a "not" match of a non-ASCII character and a
127      subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.      subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
128    
# Line 41  Version 8.37 xx-xxx-2015 Line 136  Version 8.37 xx-xxx-2015
136     was no other kind of back reference (a situation which is probably quite     was no other kind of back reference (a situation which is probably quite
137     rare). The effect of the bug was that the condition was always treated as     rare). The effect of the bug was that the condition was always treated as
138     FALSE when the capture could not be consulted, leading to a incorrect     FALSE when the capture could not be consulted, leading to a incorrect
139     behaviour by pcre2_match(). This bug has been fixed.     behaviour by pcre_exec(). This bug has been fixed.
140    
141  9. A reference to a duplicated named group (either a back reference or a test  9. A reference to a duplicated named group (either a back reference or a test
142     for being set in a conditional) that occurred in a part of the pattern where     for being set in a conditional) that occurred in a part of the pattern where
# Line 61  Version 8.37 xx-xxx-2015 Line 156  Version 8.37 xx-xxx-2015
156      so the above pattern is faulted by Perl. PCRE has now been changed so that      so the above pattern is faulted by Perl. PCRE has now been changed so that
157      it also rejects such patterns.      it also rejects such patterns.
158    
159    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
160        failed to allow the zero-repeat case if pcre2_exec() was called with an
161        ovector too small to capture the group.
162    
163    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
164        Red Hat Product Security:
165    
166        (a) A crash if /K and /F were both set with the option to save the compiled
167        pattern.
168    
169        (b) Another crash if the option to print captured substrings in a callout
170        was combined with setting a null ovector, for example \O\C+ as a subject
171        string.
172    
173    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
174        forward reference repeated a large (but limited) number of times within a
175        repeated outer group that has a zero minimum quantifier, caused incorrect
176        code to be compiled, leading to the error "internal error:
177        previously-checked referenced subpattern not found" when an incorrect
178        memory address was read. This bug was reported as "heap overflow",
179        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
180        CVE-2015-2325.
181    
182    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
183        call within a group that also contained a recursive back reference caused
184        incorrect code to be compiled. This bug was reported as "heap overflow",
185        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
186        number CVE-2015-2326.
187    
188    24. Computing the size of the JIT read-only data in advance has been a source
189        of various issues, and new ones are still appear unfortunately. To fix
190        existing and future issues, size computation is eliminated from the code,
191        and replaced by on-demand memory allocation.
192    
193    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
194        adjacent to the end of the range, and the range contained characters with
195        more than one other case, caused incorrect behaviour when compiled in UTF
196        mode. In that example, the range a-j was left out of the class.
197    
198    26. Fix JIT compilation of conditional blocks, which assertion
199        is converted to (*FAIL). E.g: /(?(?!))/.
200    
201    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
202        discovered by the LLVM fuzzer.
203    
204    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
205        when this assertion was used as a condition, for example (?(?!)a|b). In
206        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
207        error about an unsupported item.
208    
209    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
210        possessification code could take exponential time to complete. A recursion
211        depth limit of 1000 has been imposed to limit the resources used by this
212        optimization.
213    
214    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
215        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
216        because \S ensures they are all in the class. The code for doing this was
217        interacting badly with the code for computing the amount of space needed to
218        compile the pattern, leading to a buffer overflow. This bug was discovered
219        by the LLVM fuzzer.
220    
221    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
222        other kinds of group caused stack overflow at compile time. This bug was
223        discovered by the LLVM fuzzer.
224    
225    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
226        between a subroutine call and its quantifier was incorrectly compiled,
227        leading to buffer overflow or other errors. This bug was discovered by the
228        LLVM fuzzer.
229    
230    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
231        assertion after (?(. The code was failing to check the character after
232        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
233        was discovered by the LLVM fuzzer.
234    
235    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
236        a fixed maximum following a group that contains a subroutine reference was
237        incorrectly compiled and could trigger buffer overflow. This bug was
238        discovered by the LLVM fuzzer.
239    
240    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
241        caused a stack overflow instead of the diagnosis of a non-fixed length
242        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
243    
244    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
245        (e.g. /(?<=\Ka)/) could make pcregrep loop.
246    
247    37. There was a similar problem to 36 in pcretest for global matches.
248    
249    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
250        and a subsequent item in the pattern caused a non-match, backtracking over
251        the repeated \X did not stop, but carried on past the start of the subject,
252        causing reference to random memory and/or a segfault. There were also some
253        other cases where backtracking after \C could crash. This set of bugs was
254        discovered by the LLVM fuzzer.
255    
256    39. The function for finding the minimum length of a matching string could take
257        a very long time if mutual recursion was present many times in a pattern,
258        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
259        method has been implemented. This infelicity was discovered by the LLVM
260        fuzzer.
261    
262    40. Static linking against the PCRE library using the pkg-config module was
263        failing on missing pthread symbols.
264    
265    
266  Version 8.36 26-September-2014  Version 8.36 26-September-2014
267  ------------------------------  ------------------------------

Legend:
Removed from v.1523  
changed lines
  Added in v.1581

  ViewVC Help
Powered by ViewVC 1.1.5