| 1 |
ChangeLog for PCRE |
ChangeLog for PCRE |
| 2 |
------------------ |
------------------ |
| 3 |
|
|
| 4 |
Version 8.37 xx-xxx-2015 |
Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All |
| 5 |
|
development is happening in the PCRE2 10.xx series. |
| 6 |
|
|
| 7 |
|
Version 8.38 xx-xxx-xxxx |
| 8 |
------------------------ |
------------------------ |
| 9 |
|
|
| 10 |
|
1. If a group that contained a recursive back reference also contained a |
| 11 |
|
forward reference subroutine call followed by a non-forward-reference |
| 12 |
|
subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to |
| 13 |
|
compile correct code, leading to undefined behaviour or an internally |
| 14 |
|
detected error. This bug was discovered by the LLVM fuzzer. |
| 15 |
|
|
| 16 |
|
2. Quantification of certain items (e.g. atomic back references) could cause |
| 17 |
|
incorrect code to be compiled when recursive forward references were |
| 18 |
|
involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/. |
| 19 |
|
This bug was discovered by the LLVM fuzzer. |
| 20 |
|
|
| 21 |
|
3. A repeated conditional group whose condition was a reference by name caused |
| 22 |
|
a buffer overflow if there was more than one group with the given name. |
| 23 |
|
This bug was discovered by the LLVM fuzzer. |
| 24 |
|
|
| 25 |
|
4. A recursive back reference by name within a group that had the same name as |
| 26 |
|
another group caused a buffer overflow. For example: |
| 27 |
|
/(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer. |
| 28 |
|
|
| 29 |
|
5. A forward reference by name to a group whose number is the same as the |
| 30 |
|
current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused |
| 31 |
|
a buffer overflow at compile time. This bug was discovered by the LLVM |
| 32 |
|
fuzzer. |
| 33 |
|
|
| 34 |
|
6. A lookbehind assertion within a set of mutually recursive subpatterns could |
| 35 |
|
provoke a buffer overflow. This bug was discovered by the LLVM fuzzer. |
| 36 |
|
|
| 37 |
|
7. Another buffer overflow bug involved duplicate named groups with a |
| 38 |
|
reference between their definition, with a group that reset capture |
| 39 |
|
numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been |
| 40 |
|
fixed by always allowing for more memory, even if not needed. (A proper fix |
| 41 |
|
is implemented in PCRE2, but it involves more refactoring.) |
| 42 |
|
|
| 43 |
|
8. There was no check for integer overflow in subroutine calls such as (?123). |
| 44 |
|
|
| 45 |
|
9. The table entry for \l in EBCDIC environments was incorrect, leading to its |
| 46 |
|
being treated as a literal 'l' instead of causing an error. |
| 47 |
|
|
| 48 |
|
10. There was a buffer overflow if pcre_exec() was called with an ovector of |
| 49 |
|
size 1. This bug was found by american fuzzy lop. |
| 50 |
|
|
| 51 |
|
11. If a non-capturing group containing a conditional group that could match |
| 52 |
|
an empty string was repeated, it was not identified as matching an empty |
| 53 |
|
string itself. For example: /^(?:(?(1)x|)+)+$()/. |
| 54 |
|
|
| 55 |
|
12. In an EBCDIC environment, pcretest was mishandling the escape sequences |
| 56 |
|
\a and \e in test subject lines. |
| 57 |
|
|
| 58 |
|
13. In an EBCDIC environment, \a in a pattern was converted to the ASCII |
| 59 |
|
instead of the EBCDIC value. |
| 60 |
|
|
| 61 |
|
14. The handling of \c in an EBCDIC environment has been revised so that it is |
| 62 |
|
now compatible with the specification in Perl's perlebcdic page. |
| 63 |
|
|
| 64 |
|
15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in |
| 65 |
|
ASCII/Unicode. This has now been added to the list of characters that are |
| 66 |
|
recognized as white space in EBCDIC. |
| 67 |
|
|
| 68 |
|
16. When PCRE was compiled without UCP support, the use of \p and \P gave an |
| 69 |
|
error (correctly) when used outside a class, but did not give an error |
| 70 |
|
within a class. |
| 71 |
|
|
| 72 |
|
17. \h within a class was incorrectly compiled in EBCDIC environments. |
| 73 |
|
|
| 74 |
|
18. A pattern with an unmatched closing parenthesis that contained a backward |
| 75 |
|
assertion which itself contained a forward reference caused buffer |
| 76 |
|
overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/. |
| 77 |
|
|
| 78 |
|
19. JIT should return with error when the compiled pattern requires more stack |
| 79 |
|
space than the maximum. |
| 80 |
|
|
| 81 |
|
20. A possessively repeated conditional group that could match an empty string, |
| 82 |
|
for example, /(?(R))*+/, was incorrectly compiled. |
| 83 |
|
|
| 84 |
|
|
| 85 |
|
Version 8.37 28-April-2015 |
| 86 |
|
-------------------------- |
| 87 |
|
|
| 88 |
1. When an (*ACCEPT) is triggered inside capturing parentheses, it arranges |
1. When an (*ACCEPT) is triggered inside capturing parentheses, it arranges |
| 89 |
for those parentheses to be closed with whatever has been captured so far. |
for those parentheses to be closed with whatever has been captured so far. |
| 90 |
However, it was failing to mark any other groups between the hightest |
However, it was failing to mark any other groups between the hightest |
| 122 |
was no other kind of back reference (a situation which is probably quite |
was no other kind of back reference (a situation which is probably quite |
| 123 |
rare). The effect of the bug was that the condition was always treated as |
rare). The effect of the bug was that the condition was always treated as |
| 124 |
FALSE when the capture could not be consulted, leading to a incorrect |
FALSE when the capture could not be consulted, leading to a incorrect |
| 125 |
behaviour by pcre2_match(). This bug has been fixed. |
behaviour by pcre_exec(). This bug has been fixed. |
| 126 |
|
|
| 127 |
9. A reference to a duplicated named group (either a back reference or a test |
9. A reference to a duplicated named group (either a back reference or a test |
| 128 |
for being set in a conditional) that occurred in a part of the pattern where |
for being set in a conditional) that occurred in a part of the pattern where |
| 146 |
failed to allow the zero-repeat case if pcre2_exec() was called with an |
failed to allow the zero-repeat case if pcre2_exec() was called with an |
| 147 |
ovector too small to capture the group. |
ovector too small to capture the group. |
| 148 |
|
|
| 149 |
13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by |
13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by |
| 150 |
Red Hat Product Security: |
Red Hat Product Security: |
| 151 |
|
|
| 152 |
(a) A crash if /K and /F were both set with the option to save the compiled |
(a) A crash if /K and /F were both set with the option to save the compiled |
| 155 |
(b) Another crash if the option to print captured substrings in a callout |
(b) Another crash if the option to print captured substrings in a callout |
| 156 |
was combined with setting a null ovector, for example \O\C+ as a subject |
was combined with setting a null ovector, for example \O\C+ as a subject |
| 157 |
string. |
string. |
| 158 |
|
|
| 159 |
14. A pattern such as "((?2){0,1999}())?", which has a group containing a |
14. A pattern such as "((?2){0,1999}())?", which has a group containing a |
| 160 |
forward reference repeated a large (but limited) number of times within a |
forward reference repeated a large (but limited) number of times within a |
| 161 |
repeated outer group that has a zero minimum quantifier, caused incorrect |
repeated outer group that has a zero minimum quantifier, caused incorrect |
| 162 |
code to be compiled, leading to the error "internal error: |
code to be compiled, leading to the error "internal error: |
| 163 |
previously-checked referenced subpattern not found" when an incorrect |
previously-checked referenced subpattern not found" when an incorrect |
| 164 |
memory address was read. This bug was reported as "heap overflow", |
memory address was read. This bug was reported as "heap overflow", |
| 165 |
discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number |
discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number |
| 166 |
CVE-2015-2325. |
CVE-2015-2325. |
| 167 |
|
|
| 168 |
23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine |
23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine |
| 169 |
call within a group that also contained a recursive back reference caused |
call within a group that also contained a recursive back reference caused |
| 170 |
incorrect code to be compiled. This bug was reported as "heap overflow", |
incorrect code to be compiled. This bug was reported as "heap overflow", |
| 171 |
discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE |
discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE |
| 172 |
number CVE-2015-2326. |
number CVE-2015-2326. |
| 173 |
|
|
| 174 |
24. Computing the size of the JIT read-only data in advance has been a source |
24. Computing the size of the JIT read-only data in advance has been a source |
| 183 |
|
|
| 184 |
26. Fix JIT compilation of conditional blocks, which assertion |
26. Fix JIT compilation of conditional blocks, which assertion |
| 185 |
is converted to (*FAIL). E.g: /(?(?!))/. |
is converted to (*FAIL). E.g: /(?(?!))/. |
| 186 |
|
|
| 187 |
27. The pattern /(?(?!)^)/ caused references to random memory. This bug was |
27. The pattern /(?(?!)^)/ caused references to random memory. This bug was |
| 188 |
discovered by the LLVM fuzzer. |
discovered by the LLVM fuzzer. |
| 189 |
|
|
| 192 |
pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect |
pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect |
| 193 |
error about an unsupported item. |
error about an unsupported item. |
| 194 |
|
|
| 195 |
|
29. For some types of pattern, for example /Z*(|d*){216}/, the auto- |
| 196 |
|
possessification code could take exponential time to complete. A recursion |
| 197 |
|
depth limit of 1000 has been imposed to limit the resources used by this |
| 198 |
|
optimization. |
| 199 |
|
|
| 200 |
|
30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class |
| 201 |
|
such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored |
| 202 |
|
because \S ensures they are all in the class. The code for doing this was |
| 203 |
|
interacting badly with the code for computing the amount of space needed to |
| 204 |
|
compile the pattern, leading to a buffer overflow. This bug was discovered |
| 205 |
|
by the LLVM fuzzer. |
| 206 |
|
|
| 207 |
|
31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside |
| 208 |
|
other kinds of group caused stack overflow at compile time. This bug was |
| 209 |
|
discovered by the LLVM fuzzer. |
| 210 |
|
|
| 211 |
|
32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment |
| 212 |
|
between a subroutine call and its quantifier was incorrectly compiled, |
| 213 |
|
leading to buffer overflow or other errors. This bug was discovered by the |
| 214 |
|
LLVM fuzzer. |
| 215 |
|
|
| 216 |
|
33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an |
| 217 |
|
assertion after (?(. The code was failing to check the character after |
| 218 |
|
(?(?< for the ! or = that would indicate a lookbehind assertion. This bug |
| 219 |
|
was discovered by the LLVM fuzzer. |
| 220 |
|
|
| 221 |
|
34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with |
| 222 |
|
a fixed maximum following a group that contains a subroutine reference was |
| 223 |
|
incorrectly compiled and could trigger buffer overflow. This bug was |
| 224 |
|
discovered by the LLVM fuzzer. |
| 225 |
|
|
| 226 |
|
35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1))) |
| 227 |
|
caused a stack overflow instead of the diagnosis of a non-fixed length |
| 228 |
|
lookbehind assertion. This bug was discovered by the LLVM fuzzer. |
| 229 |
|
|
| 230 |
|
36. The use of \K in a positive lookbehind assertion in a non-anchored pattern |
| 231 |
|
(e.g. /(?<=\Ka)/) could make pcregrep loop. |
| 232 |
|
|
| 233 |
|
37. There was a similar problem to 36 in pcretest for global matches. |
| 234 |
|
|
| 235 |
|
38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*), |
| 236 |
|
and a subsequent item in the pattern caused a non-match, backtracking over |
| 237 |
|
the repeated \X did not stop, but carried on past the start of the subject, |
| 238 |
|
causing reference to random memory and/or a segfault. There were also some |
| 239 |
|
other cases where backtracking after \C could crash. This set of bugs was |
| 240 |
|
discovered by the LLVM fuzzer. |
| 241 |
|
|
| 242 |
|
39. The function for finding the minimum length of a matching string could take |
| 243 |
|
a very long time if mutual recursion was present many times in a pattern, |
| 244 |
|
for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection |
| 245 |
|
method has been implemented. This infelicity was discovered by the LLVM |
| 246 |
|
fuzzer. |
| 247 |
|
|
| 248 |
|
40. Static linking against the PCRE library using the pkg-config module was |
| 249 |
|
failing on missing pthread symbols. |
| 250 |
|
|
| 251 |
|
|
| 252 |
Version 8.36 26-September-2014 |
Version 8.36 26-September-2014 |
| 253 |
------------------------------ |
------------------------------ |
Parent Directory
| 
Revision Log
| 
Patch