/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1534 by ph10, Tue Mar 24 10:33:21 2015 UTC revision 1564 by ph10, Tue Jun 9 16:33:27 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.37 xx-xxx-2015  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5    development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8  ------------------------  ------------------------
9    
10    1.  If a group that contained a recursive back reference also contained a
11        forward reference subroutine call followed by a non-forward-reference
12        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13        compile correct code, leading to undefined behaviour or an internally
14        detected error. This bug was discovered by the LLVM fuzzer.
15    
16    2.  Quantification of certain items (e.g. atomic back references) could cause
17        incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21    3.  A repeated conditional group whose condition was a reference by name caused
22        a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25    4.  A recursive back reference by name within a group that had the same name as
26        another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    
49    Version 8.37 28-April-2015
50    --------------------------
51    
52  1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges  1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
53      for those parentheses to be closed with whatever has been captured so far.      for those parentheses to be closed with whatever has been captured so far.
54      However, it was failing to mark any other groups between the hightest      However, it was failing to mark any other groups between the hightest
# Line 41  Version 8.37 xx-xxx-2015 Line 86  Version 8.37 xx-xxx-2015
86     was no other kind of back reference (a situation which is probably quite     was no other kind of back reference (a situation which is probably quite
87     rare). The effect of the bug was that the condition was always treated as     rare). The effect of the bug was that the condition was always treated as
88     FALSE when the capture could not be consulted, leading to a incorrect     FALSE when the capture could not be consulted, leading to a incorrect
89     behaviour by pcre2_match(). This bug has been fixed.     behaviour by pcre_exec(). This bug has been fixed.
90    
91  9. A reference to a duplicated named group (either a back reference or a test  9. A reference to a duplicated named group (either a back reference or a test
92     for being set in a conditional) that occurred in a part of the pattern where     for being set in a conditional) that occurred in a part of the pattern where
# Line 65  Version 8.37 xx-xxx-2015 Line 110  Version 8.37 xx-xxx-2015
110      failed to allow the zero-repeat case if pcre2_exec() was called with an      failed to allow the zero-repeat case if pcre2_exec() was called with an
111      ovector too small to capture the group.      ovector too small to capture the group.
112    
113  13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by  13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
114      Red Hat Product Security:      Red Hat Product Security:
115    
116      (a) A crash if /K and /F were both set with the option to save the compiled      (a) A crash if /K and /F were both set with the option to save the compiled
# Line 74  Version 8.37 xx-xxx-2015 Line 119  Version 8.37 xx-xxx-2015
119      (b) Another crash if the option to print captured substrings in a callout      (b) Another crash if the option to print captured substrings in a callout
120      was combined with setting a null ovector, for example \O\C+ as a subject      was combined with setting a null ovector, for example \O\C+ as a subject
121      string.      string.
122    
123  14. A pattern such as "((?2){0,1999}())?", which has a group containing a  14. A pattern such as "((?2){0,1999}())?", which has a group containing a
124      forward reference repeated a large (but limited) number of times within a      forward reference repeated a large (but limited) number of times within a
125      repeated outer group that has a zero minimum quantifier, caused incorrect      repeated outer group that has a zero minimum quantifier, caused incorrect
126      code to be compiled, leading to the error "internal error:      code to be compiled, leading to the error "internal error:
127      previously-checked referenced subpattern not found" when an incorrect      previously-checked referenced subpattern not found" when an incorrect
128      memory address was read. This bug was reported as "heap overflow",      memory address was read. This bug was reported as "heap overflow",
129      discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number      discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
130      CVE-2015-2325.      CVE-2015-2325.
131    
132  23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine  23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
133      call within a group that also contained a recursive back reference caused      call within a group that also contained a recursive back reference caused
134      incorrect code to be compiled. This bug was reported as "heap overflow",      incorrect code to be compiled. This bug was reported as "heap overflow",
135      discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE      discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
136      number CVE-2015-2326.      number CVE-2015-2326.
137    
138  24. Computing the size of the JIT read-only data in advance has been a source  24. Computing the size of the JIT read-only data in advance has been a source
# Line 102  Version 8.37 xx-xxx-2015 Line 147  Version 8.37 xx-xxx-2015
147    
148  26. Fix JIT compilation of conditional blocks, which assertion  26. Fix JIT compilation of conditional blocks, which assertion
149      is converted to (*FAIL). E.g: /(?(?!))/.      is converted to (*FAIL). E.g: /(?(?!))/.
150    
151  27. The pattern /(?(?!)^)/ caused references to random memory. This bug was  27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
152      discovered by the LLVM fuzzer.      discovered by the LLVM fuzzer.
153    
# Line 111  Version 8.37 xx-xxx-2015 Line 156  Version 8.37 xx-xxx-2015
156      pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect      pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
157      error about an unsupported item.      error about an unsupported item.
158    
159    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
160        possessification code could take exponential time to complete. A recursion
161        depth limit of 1000 has been imposed to limit the resources used by this
162        optimization.
163    
164    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
165        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
166        because \S ensures they are all in the class. The code for doing this was
167        interacting badly with the code for computing the amount of space needed to
168        compile the pattern, leading to a buffer overflow. This bug was discovered
169        by the LLVM fuzzer.
170    
171    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
172        other kinds of group caused stack overflow at compile time. This bug was
173        discovered by the LLVM fuzzer.
174    
175    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
176        between a subroutine call and its quantifier was incorrectly compiled,
177        leading to buffer overflow or other errors. This bug was discovered by the
178        LLVM fuzzer.
179    
180    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
181        assertion after (?(. The code was failing to check the character after
182        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
183        was discovered by the LLVM fuzzer.
184    
185    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
186        a fixed maximum following a group that contains a subroutine reference was
187        incorrectly compiled and could trigger buffer overflow. This bug was
188        discovered by the LLVM fuzzer.
189    
190    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
191        caused a stack overflow instead of the diagnosis of a non-fixed length
192        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
193    
194    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
195        (e.g. /(?<=\Ka)/) could make pcregrep loop.
196    
197    37. There was a similar problem to 36 in pcretest for global matches.
198    
199    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
200        and a subsequent item in the pattern caused a non-match, backtracking over
201        the repeated \X did not stop, but carried on past the start of the subject,
202        causing reference to random memory and/or a segfault. There were also some
203        other cases where backtracking after \C could crash. This set of bugs was
204        discovered by the LLVM fuzzer.
205    
206    39. The function for finding the minimum length of a matching string could take
207        a very long time if mutual recursion was present many times in a pattern,
208        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
209        method has been implemented. This infelicity was discovered by the LLVM
210        fuzzer.
211    
212    40. Static linking against the PCRE library using the pkg-config module was
213        failing on missing pthread symbols.
214    
215    
216  Version 8.36 26-September-2014  Version 8.36 26-September-2014
217  ------------------------------  ------------------------------

Legend:
Removed from v.1534  
changed lines
  Added in v.1564

  ViewVC Help
Powered by ViewVC 1.1.5