/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1414 by zherczeg, Sun Dec 22 16:27:35 2013 UTC revision 1559 by ph10, Sat May 16 11:05:40 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.35-RC1 xx-xxxx-201x  Version 8.38 xx-xxx-xxxx
5  -----------------------------  ------------------------
6    
7    1.  If a group that contained a recursive back reference also contained a
8        forward reference subroutine call followed by a non-forward-reference
9        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
10        compile correct code, leading to undefined behaviour or an internally
11        detected error. This bug was discovered by the LLVM fuzzer.
12    
13    2.  Quantification of certain items (e.g. atomic back references) could cause
14        incorrect code to be compiled when recursive forward references were
15        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
16        This bug was discovered by the LLVM fuzzer.
17    
18    3.  A repeated conditional group whose condition was a reference by name caused
19        a buffer overflow if there was more than one group with the given name.
20        This bug was discovered by the LLVM fuzzer.
21    
22    4.  A recursive back reference by name within a group that had the same name as
23        another group caused a buffer overflow. For example:
24        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
25    
26    30. A forward reference by name to a group whose number is the same as the
27        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
28        a buffer overflow at compile time. This bug was discovered by the LLVM
29        fuzzer.
30    
31    
32    Version 8.37 28-April-2015
33    --------------------------
34    
35    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
36        for those parentheses to be closed with whatever has been captured so far.
37        However, it was failing to mark any other groups between the hightest
38        capture so far and the currrent group as "unset". Thus, the ovector for
39        those groups contained whatever was previously there. An example is the
40        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
41    
42    2.  If an assertion condition was quantified with a minimum of zero (an odd
43        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
44    
45    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
46        unrecognized modifier, a crash could occur.
47    
48    4.  An attempt to do global matching in pcretest with a zero-length ovector
49        caused a crash.
50    
51    5.  Fixed a memory leak during matching that could occur for a subpattern
52        subroutine call (recursive or otherwise) if the number of captured groups
53        that had to be saved was greater than ten.
54    
55    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
56        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
57        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
58    
59    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
60        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
61    
62    8. When a pattern is compiled, it remembers the highest back reference so that
63       when matching, if the ovector is too small, extra memory can be obtained to
64       use instead. A conditional subpattern whose condition is a check on a
65       capture having happened, such as, for example in the pattern
66       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
67       setting the highest backreference number. This mattered only if pcre_exec()
68       was called with an ovector that was too small to hold the capture, and there
69       was no other kind of back reference (a situation which is probably quite
70       rare). The effect of the bug was that the condition was always treated as
71       FALSE when the capture could not be consulted, leading to a incorrect
72       behaviour by pcre_exec(). This bug has been fixed.
73    
74    9. A reference to a duplicated named group (either a back reference or a test
75       for being set in a conditional) that occurred in a part of the pattern where
76       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
77       to be incorrectly calculated, leading to overwriting.
78    
79    10. A mutually recursive set of back references such as (\2)(\1) caused a
80        segfault at study time (while trying to find the minimum matching length).
81        The infinite loop is now broken (with the minimum length unset, that is,
82        zero).
83    
84    11. If an assertion that was used as a condition was quantified with a minimum
85        of zero, matching went wrong. In particular, if the whole group had
86        unlimited repetition and could match an empty string, a segfault was
87        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
88        assertions to be quantified, but not if they are being used as conditions,
89        so the above pattern is faulted by Perl. PCRE has now been changed so that
90        it also rejects such patterns.
91    
92    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
93        failed to allow the zero-repeat case if pcre2_exec() was called with an
94        ovector too small to capture the group.
95    
96    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
97        Red Hat Product Security:
98    
99        (a) A crash if /K and /F were both set with the option to save the compiled
100        pattern.
101    
102        (b) Another crash if the option to print captured substrings in a callout
103        was combined with setting a null ovector, for example \O\C+ as a subject
104        string.
105    
106    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
107        forward reference repeated a large (but limited) number of times within a
108        repeated outer group that has a zero minimum quantifier, caused incorrect
109        code to be compiled, leading to the error "internal error:
110        previously-checked referenced subpattern not found" when an incorrect
111        memory address was read. This bug was reported as "heap overflow",
112        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
113        CVE-2015-2325.
114    
115    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
116        call within a group that also contained a recursive back reference caused
117        incorrect code to be compiled. This bug was reported as "heap overflow",
118        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
119        number CVE-2015-2326.
120    
121    24. Computing the size of the JIT read-only data in advance has been a source
122        of various issues, and new ones are still appear unfortunately. To fix
123        existing and future issues, size computation is eliminated from the code,
124        and replaced by on-demand memory allocation.
125    
126    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
127        adjacent to the end of the range, and the range contained characters with
128        more than one other case, caused incorrect behaviour when compiled in UTF
129        mode. In that example, the range a-j was left out of the class.
130    
131    26. Fix JIT compilation of conditional blocks, which assertion
132        is converted to (*FAIL). E.g: /(?(?!))/.
133    
134    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
135        discovered by the LLVM fuzzer.
136    
137    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
138        when this assertion was used as a condition, for example (?(?!)a|b). In
139        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
140        error about an unsupported item.
141    
142    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
143        possessification code could take exponential time to complete. A recursion
144        depth limit of 1000 has been imposed to limit the resources used by this
145        optimization.
146    
147    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
148        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
149        because \S ensures they are all in the class. The code for doing this was
150        interacting badly with the code for computing the amount of space needed to
151        compile the pattern, leading to a buffer overflow. This bug was discovered
152        by the LLVM fuzzer.
153    
154    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
155        other kinds of group caused stack overflow at compile time. This bug was
156        discovered by the LLVM fuzzer.
157    
158    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
159        between a subroutine call and its quantifier was incorrectly compiled,
160        leading to buffer overflow or other errors. This bug was discovered by the
161        LLVM fuzzer.
162    
163    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
164        assertion after (?(. The code was failing to check the character after
165        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
166        was discovered by the LLVM fuzzer.
167    
168    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
169        a fixed maximum following a group that contains a subroutine reference was
170        incorrectly compiled and could trigger buffer overflow. This bug was
171        discovered by the LLVM fuzzer.
172    
173    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
174        caused a stack overflow instead of the diagnosis of a non-fixed length
175        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
176    
177    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
178        (e.g. /(?<=\Ka)/) could make pcregrep loop.
179    
180    37. There was a similar problem to 36 in pcretest for global matches.
181    
182    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
183        and a subsequent item in the pattern caused a non-match, backtracking over
184        the repeated \X did not stop, but carried on past the start of the subject,
185        causing reference to random memory and/or a segfault. There were also some
186        other cases where backtracking after \C could crash. This set of bugs was
187        discovered by the LLVM fuzzer.
188    
189    39. The function for finding the minimum length of a matching string could take
190        a very long time if mutual recursion was present many times in a pattern,
191        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
192        method has been implemented. This infelicity was discovered by the LLVM
193        fuzzer.
194    
195    40. Static linking against the PCRE library using the pkg-config module was
196        failing on missing pthread symbols.
197    
198    
199    Version 8.36 26-September-2014
200    ------------------------------
201    
202    1.  Got rid of some compiler warnings in the C++ modules that were shown up by
203        -Wmissing-field-initializers and -Wunused-parameter.
204    
205    2.  The tests for quantifiers being too big (greater than 65535) were being
206        applied after reading the number, and stupidly assuming that integer
207        overflow would give a negative number. The tests are now applied as the
208        numbers are read.
209    
210    3.  Tidy code in pcre_exec.c where two branches that used to be different are
211        now the same.
212    
213    4.  The JIT compiler did not generate match limit checks for certain
214        bracketed expressions with quantifiers. This may lead to exponential
215        backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
216        issue should be resolved now.
217    
218    5.  Fixed an issue, which occures when nested alternatives are optimized
219        with table jumps.
220    
221    6.  Inserted two casts and changed some ints to size_t in the light of some
222        reported 64-bit compiler warnings (Bugzilla 1477).
223    
224    7.  Fixed a bug concerned with zero-minimum possessive groups that could match
225        an empty string, which sometimes were behaving incorrectly in the
226        interpreter (though correctly in the JIT matcher). This pcretest input is
227        an example:
228    
229          '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
230          NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
231    
232        the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
233        JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
234        for an empty string was breaking the inner loop and carrying on at a lower
235        level, when possessive repeated groups should always return to a higher
236        level as they have no backtrack points in them. The empty string test now
237        occurs at the outer level.
238    
239    8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
240        ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
241    
242    9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
243        doesn't).
244    
245    10. Change 8.34/15 introduced a bug that caused the amount of memory needed
246        to hold a pattern to be incorrectly computed (too small) when there were
247        named back references to duplicated names. This could cause "internal
248        error: code overflow" or "double free or corruption" or other memory
249        handling errors.
250    
251    11. When named subpatterns had the same prefixes, back references could be
252        confused. For example, in this pattern:
253    
254          /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
255    
256        the reference to 'Name' was incorrectly treated as a reference to a
257        duplicate name.
258    
259    12. A pattern such as /^s?c/mi8 where the optional character has more than
260        one "other case" was incorrectly compiled such that it would only try to
261        match starting at "c".
262    
263    13. When a pattern starting with \s was studied, VT was not included in the
264        list of possible starting characters; this should have been part of the
265        8.34/18 patch.
266    
267    14. If a character class started [\Qx]... where x is any character, the class
268        was incorrectly terminated at the ].
269    
270    15. If a pattern that started with a caseless match for a character with more
271        than one "other case" was studied, PCRE did not set up the starting code
272        unit bit map for the list of possible characters. Now it does. This is an
273        optimization improvement, not a bug fix.
274    
275    16. The Unicode data tables have been updated to Unicode 7.0.0.
276    
277    17. Fixed a number of memory leaks in pcregrep.
278    
279    18. Avoid a compiler warning (from some compilers) for a function call with
280        a cast that removes "const" from an lvalue by using an intermediate
281        variable (to which the compiler does not object).
282    
283    19. Incorrect code was compiled if a group that contained an internal recursive
284        back reference was optional (had quantifier with a minimum of zero). This
285        example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
286        caused segmentation faults because of stack overflows at compile time.
287    
288    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
289        group that is quantified with an indefinite repeat, caused a compile-time
290        loop which used up all the system stack and provoked a segmentation fault.
291        This was not the same bug as 19 above.
292    
293    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
294        Patch by Mike Frysinger.
295    
296    
297    Version 8.35 04-April-2014
298    --------------------------
299    
300  1.  A new flag is set, when property checks are present in an XCLASS.  1.  A new flag is set, when property checks are present in an XCLASS.
301      When this flag is not set, PCRE can perform certain optimizations      When this flag is not set, PCRE can perform certain optimizations
302      such as studying these XCLASS-es.      such as studying these XCLASS-es.
303    
304    2.  The auto-possessification of character sets were improved: a normal
305        and an extended character set can be compared now. Furthermore
306        the JIT compiler optimizes more character set checks.
307    
308    3.  Got rid of some compiler warnings for potentially uninitialized variables
309        that show up only when compiled with -O2.
310    
311    4.  A pattern such as (?=ab\K) that uses \K in an assertion can set the start
312        of a match later then the end of the match. The pcretest program was not
313        handling the case sensibly - it was outputting from the start to the next
314        binary zero. It now reports this situation in a message, and outputs the
315        text from the end to the start.
316    
317    5.  Fast forward search is improved in JIT. Instead of the first three
318        characters, any three characters with fixed position can be searched.
319        Search order: first, last, middle.
320    
321    6.  Improve character range checks in JIT. Characters are read by an inprecise
322        function now, which returns with an unknown value if the character code is
323        above a certain threshold (e.g: 256). The only limitation is that the value
324        must be bigger than the threshold as well. This function is useful when
325        the characters above the threshold are handled in the same way.
326    
327    7.  The macros whose names start with RAWUCHAR are placeholders for a future
328        mode in which only the bottom 21 bits of 32-bit data items are used. To
329        make this more memorable for those maintaining the code, the names have
330        been changed to start with UCHAR21, and an extensive comment has been added
331        to their definition.
332    
333    8.  Add missing (new) files sljitNativeTILEGX.c and sljitNativeTILEGX-encoder.c
334        to the export list in Makefile.am (they were accidentally omitted from the
335        8.34 tarball).
336    
337    9.  The informational output from pcretest used the phrase "starting byte set"
338        which is inappropriate for the 16-bit and 32-bit libraries. As the output
339        for "first char" and "need char" really means "non-UTF-char", I've changed
340        "byte" to "char", and slightly reworded the output. The documentation about
341        these values has also been (I hope) clarified.
342    
343    10. Another JIT related optimization: use table jumps for selecting the correct
344        backtracking path, when more than four alternatives are present inside a
345        bracket.
346    
347    11. Empty match is not possible, when the minimum length is greater than zero,
348        and there is no \K in the pattern. JIT should avoid empty match checks in
349        such cases.
350    
351    12. In a caseless character class with UCP support, when a character with more
352        than one alternative case was not the first character of a range, not all
353        the alternative cases were added to the class. For example, s and \x{17f}
354        are both alternative cases for S: the class [RST] was handled correctly,
355        but [R-T] was not.
356    
357    13. The configure.ac file always checked for pthread support when JIT was
358        enabled. This is not used in Windows, so I have put this test inside a
359        check for the presence of windows.h (which was already tested for).
360    
361    14. Improve pattern prefix search by a simplified Boyer-Moore algorithm in JIT.
362        The algorithm provides a way to skip certain starting offsets, and usually
363        faster than linear prefix searches.
364    
365    15. Change 13 for 8.20 updated RunTest to check for the 'fr' locale as well
366        as for 'fr_FR' and 'french'. For some reason, however, it then used the
367        Windows-specific input and output files, which have 'french' screwed in.
368        So this could never have worked. One of the problems with locales is that
369        they aren't always the same. I have now updated RunTest so that it checks
370        the output of the locale test (test 3) against three different output
371        files, and it allows the test to pass if any one of them matches. With luck
372        this should make the test pass on some versions of Solaris where it was
373        failing. Because of the uncertainty, the script did not used to stop if
374        test 3 failed; it now does. If further versions of a French locale ever
375        come to light, they can now easily be added.
376    
377    16. If --with-pcregrep-bufsize was given a non-integer value such as "50K",
378        there was a message during ./configure, but it did not stop. This now
379        provokes an error. The invalid example in README has been corrected.
380        If a value less than the minimum is given, the minimum value has always
381        been used, but now a warning is given.
382    
383    17. If --enable-bsr-anycrlf was set, the special 16/32-bit test failed. This
384        was a bug in the test system, which is now fixed. Also, the list of various
385        configurations that are tested for each release did not have one with both
386        16/32 bits and --enable-bar-anycrlf. It now does.
387    
388    18. pcretest was missing "-C bsr" for displaying the \R default setting.
389    
390    19. Little endian PowerPC systems are supported now by the JIT compiler.
391    
392    20. The fast forward newline mechanism could enter to an infinite loop on
393        certain invalid UTF-8 input. Although we don't support these cases
394        this issue can be fixed by a performance optimization.
395    
396    21. Change 33 of 8.34 is not sufficient to ensure stack safety because it does
397        not take account if existing stack usage. There is now a new global
398        variable called pcre_stack_guard that can be set to point to an external
399        function to check stack availability. It is called at the start of
400        processing every parenthesized group.
401    
402    22. A typo in the code meant that in ungreedy mode the max/min qualifier
403        behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did
404        not match "ab".
405    
406    23. When UTF was disabled, the JIT program reported some incorrect compile
407        errors. These messages are silenced now.
408    
409    24. Experimental support for ARM-64 and MIPS-64 has been added to the JIT
410        compiler.
411    
412    25. Change all the temporary files used in RunGrepTest to be different to those
413        used by RunTest so that the tests can be run simultaneously, for example by
414        "make -j check".
415    
416    
417  Version 8.34 15-December-2013  Version 8.34 15-December-2013
418  -----------------------------  -----------------------------

Legend:
Removed from v.1414  
changed lines
  Added in v.1559

  ViewVC Help
Powered by ViewVC 1.1.5