/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1534 by ph10, Tue Mar 24 10:33:21 2015 UTC revision 1576 by ph10, Fri Jul 17 15:15:18 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.37 xx-xxx-2015  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5    development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8  ------------------------  ------------------------
9    
10    1.  If a group that contained a recursive back reference also contained a
11        forward reference subroutine call followed by a non-forward-reference
12        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13        compile correct code, leading to undefined behaviour or an internally
14        detected error. This bug was discovered by the LLVM fuzzer.
15    
16    2.  Quantification of certain items (e.g. atomic back references) could cause
17        incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21    3.  A repeated conditional group whose condition was a reference by name caused
22        a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25    4.  A recursive back reference by name within a group that had the same name as
26        another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    10. There was a buffer overflow if pcre_exec() was called with an ovector of
49        size 1. This bug was found by american fuzzy lop.
50    
51    11. If a non-capturing group containing a conditional group that could match
52        an empty string was repeated, it was not identified as matching an empty
53        string itself. For example: /^(?:(?(1)x|)+)+$()/.
54    
55    12. In an EBCDIC environment, pcretest was mishandling the escape sequences
56        \a and \e in test subject lines.
57    
58    13. In an EBCDIC environment, \a in a pattern was converted to the ASCII
59        instead of the EBCDIC value.
60    
61    14. The handling of \c in an EBCDIC environment has been revised so that it is
62        now compatible with the specification in Perl's perlebcdic page.
63    
64    15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in
65        ASCII/Unicode. This has now been added to the list of characters that are
66        recognized as white space in EBCDIC.
67    
68    16. When PCRE was compiled without UCP support, the use of \p and \P gave an
69        error (correctly) when used outside a class, but did not give an error
70        within a class.
71    
72    17. \h within a class was incorrectly compiled in EBCDIC environments.
73    
74    18. A pattern with an unmatched closing parenthesis that contained a backward
75        assertion which itself contained a forward reference caused buffer
76        overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.
77    
78    19. JIT should return with error when the compiled pattern requires more stack
79        space than the maximum.
80    
81    20. A possessively repeated conditional group that could match an empty string,
82        for example, /(?(R))*+/, was incorrectly compiled.
83    
84    
85    Version 8.37 28-April-2015
86    --------------------------
87    
88  1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges  1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
89      for those parentheses to be closed with whatever has been captured so far.      for those parentheses to be closed with whatever has been captured so far.
90      However, it was failing to mark any other groups between the hightest      However, it was failing to mark any other groups between the hightest
# Line 41  Version 8.37 xx-xxx-2015 Line 122  Version 8.37 xx-xxx-2015
122     was no other kind of back reference (a situation which is probably quite     was no other kind of back reference (a situation which is probably quite
123     rare). The effect of the bug was that the condition was always treated as     rare). The effect of the bug was that the condition was always treated as
124     FALSE when the capture could not be consulted, leading to a incorrect     FALSE when the capture could not be consulted, leading to a incorrect
125     behaviour by pcre2_match(). This bug has been fixed.     behaviour by pcre_exec(). This bug has been fixed.
126    
127  9. A reference to a duplicated named group (either a back reference or a test  9. A reference to a duplicated named group (either a back reference or a test
128     for being set in a conditional) that occurred in a part of the pattern where     for being set in a conditional) that occurred in a part of the pattern where
# Line 65  Version 8.37 xx-xxx-2015 Line 146  Version 8.37 xx-xxx-2015
146      failed to allow the zero-repeat case if pcre2_exec() was called with an      failed to allow the zero-repeat case if pcre2_exec() was called with an
147      ovector too small to capture the group.      ovector too small to capture the group.
148    
149  13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by  13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
150      Red Hat Product Security:      Red Hat Product Security:
151    
152      (a) A crash if /K and /F were both set with the option to save the compiled      (a) A crash if /K and /F were both set with the option to save the compiled
# Line 74  Version 8.37 xx-xxx-2015 Line 155  Version 8.37 xx-xxx-2015
155      (b) Another crash if the option to print captured substrings in a callout      (b) Another crash if the option to print captured substrings in a callout
156      was combined with setting a null ovector, for example \O\C+ as a subject      was combined with setting a null ovector, for example \O\C+ as a subject
157      string.      string.
158    
159  14. A pattern such as "((?2){0,1999}())?", which has a group containing a  14. A pattern such as "((?2){0,1999}())?", which has a group containing a
160      forward reference repeated a large (but limited) number of times within a      forward reference repeated a large (but limited) number of times within a
161      repeated outer group that has a zero minimum quantifier, caused incorrect      repeated outer group that has a zero minimum quantifier, caused incorrect
162      code to be compiled, leading to the error "internal error:      code to be compiled, leading to the error "internal error:
163      previously-checked referenced subpattern not found" when an incorrect      previously-checked referenced subpattern not found" when an incorrect
164      memory address was read. This bug was reported as "heap overflow",      memory address was read. This bug was reported as "heap overflow",
165      discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number      discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
166      CVE-2015-2325.      CVE-2015-2325.
167    
168  23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine  23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
169      call within a group that also contained a recursive back reference caused      call within a group that also contained a recursive back reference caused
170      incorrect code to be compiled. This bug was reported as "heap overflow",      incorrect code to be compiled. This bug was reported as "heap overflow",
171      discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE      discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
172      number CVE-2015-2326.      number CVE-2015-2326.
173    
174  24. Computing the size of the JIT read-only data in advance has been a source  24. Computing the size of the JIT read-only data in advance has been a source
# Line 102  Version 8.37 xx-xxx-2015 Line 183  Version 8.37 xx-xxx-2015
183    
184  26. Fix JIT compilation of conditional blocks, which assertion  26. Fix JIT compilation of conditional blocks, which assertion
185      is converted to (*FAIL). E.g: /(?(?!))/.      is converted to (*FAIL). E.g: /(?(?!))/.
186    
187  27. The pattern /(?(?!)^)/ caused references to random memory. This bug was  27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
188      discovered by the LLVM fuzzer.      discovered by the LLVM fuzzer.
189    
# Line 111  Version 8.37 xx-xxx-2015 Line 192  Version 8.37 xx-xxx-2015
192      pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect      pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
193      error about an unsupported item.      error about an unsupported item.
194    
195    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
196        possessification code could take exponential time to complete. A recursion
197        depth limit of 1000 has been imposed to limit the resources used by this
198        optimization.
199    
200    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
201        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
202        because \S ensures they are all in the class. The code for doing this was
203        interacting badly with the code for computing the amount of space needed to
204        compile the pattern, leading to a buffer overflow. This bug was discovered
205        by the LLVM fuzzer.
206    
207    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
208        other kinds of group caused stack overflow at compile time. This bug was
209        discovered by the LLVM fuzzer.
210    
211    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
212        between a subroutine call and its quantifier was incorrectly compiled,
213        leading to buffer overflow or other errors. This bug was discovered by the
214        LLVM fuzzer.
215    
216    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
217        assertion after (?(. The code was failing to check the character after
218        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
219        was discovered by the LLVM fuzzer.
220    
221    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
222        a fixed maximum following a group that contains a subroutine reference was
223        incorrectly compiled and could trigger buffer overflow. This bug was
224        discovered by the LLVM fuzzer.
225    
226    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
227        caused a stack overflow instead of the diagnosis of a non-fixed length
228        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
229    
230    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
231        (e.g. /(?<=\Ka)/) could make pcregrep loop.
232    
233    37. There was a similar problem to 36 in pcretest for global matches.
234    
235    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
236        and a subsequent item in the pattern caused a non-match, backtracking over
237        the repeated \X did not stop, but carried on past the start of the subject,
238        causing reference to random memory and/or a segfault. There were also some
239        other cases where backtracking after \C could crash. This set of bugs was
240        discovered by the LLVM fuzzer.
241    
242    39. The function for finding the minimum length of a matching string could take
243        a very long time if mutual recursion was present many times in a pattern,
244        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
245        method has been implemented. This infelicity was discovered by the LLVM
246        fuzzer.
247    
248    40. Static linking against the PCRE library using the pkg-config module was
249        failing on missing pthread symbols.
250    
251    
252  Version 8.36 26-September-2014  Version 8.36 26-September-2014
253  ------------------------------  ------------------------------

Legend:
Removed from v.1534  
changed lines
  Added in v.1576

  ViewVC Help
Powered by ViewVC 1.1.5