/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1414 by zherczeg, Sun Dec 22 16:27:35 2013 UTC revision 1567 by ph10, Fri Jun 12 16:24:58 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.35-RC1 xx-xxxx-201x  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5  -----------------------------  development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8    ------------------------
9    
10    1.  If a group that contained a recursive back reference also contained a
11        forward reference subroutine call followed by a non-forward-reference
12        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13        compile correct code, leading to undefined behaviour or an internally
14        detected error. This bug was discovered by the LLVM fuzzer.
15    
16    2.  Quantification of certain items (e.g. atomic back references) could cause
17        incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21    3.  A repeated conditional group whose condition was a reference by name caused
22        a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25    4.  A recursive back reference by name within a group that had the same name as
26        another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    10. There was a buffer overflow if pcre_exec() was called with an ovector of
49        size 1. This bug was found by american fuzzy lop.
50    
51    11. If a non-capturing group containing a conditional group that could match
52        an empty string was repeated, it was not identified as matching an empty
53        string itself. For example: /^(?:(?(1)x|)+)+$()/.
54    
55    12. In an EBCDIC environment, pcretest was mishandling the escape sequences
56        \a and \e in test subject lines.
57    
58    13. In an EBCDIC environment, \a in a pattern was converted to the ASCII
59        instead of the EBCDIC value.
60    
61    
62    Version 8.37 28-April-2015
63    --------------------------
64    
65    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
66        for those parentheses to be closed with whatever has been captured so far.
67        However, it was failing to mark any other groups between the hightest
68        capture so far and the currrent group as "unset". Thus, the ovector for
69        those groups contained whatever was previously there. An example is the
70        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
71    
72    2.  If an assertion condition was quantified with a minimum of zero (an odd
73        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
74    
75    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
76        unrecognized modifier, a crash could occur.
77    
78    4.  An attempt to do global matching in pcretest with a zero-length ovector
79        caused a crash.
80    
81    5.  Fixed a memory leak during matching that could occur for a subpattern
82        subroutine call (recursive or otherwise) if the number of captured groups
83        that had to be saved was greater than ten.
84    
85    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
86        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
87        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
88    
89    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
90        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
91    
92    8. When a pattern is compiled, it remembers the highest back reference so that
93       when matching, if the ovector is too small, extra memory can be obtained to
94       use instead. A conditional subpattern whose condition is a check on a
95       capture having happened, such as, for example in the pattern
96       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
97       setting the highest backreference number. This mattered only if pcre_exec()
98       was called with an ovector that was too small to hold the capture, and there
99       was no other kind of back reference (a situation which is probably quite
100       rare). The effect of the bug was that the condition was always treated as
101       FALSE when the capture could not be consulted, leading to a incorrect
102       behaviour by pcre_exec(). This bug has been fixed.
103    
104    9. A reference to a duplicated named group (either a back reference or a test
105       for being set in a conditional) that occurred in a part of the pattern where
106       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
107       to be incorrectly calculated, leading to overwriting.
108    
109    10. A mutually recursive set of back references such as (\2)(\1) caused a
110        segfault at study time (while trying to find the minimum matching length).
111        The infinite loop is now broken (with the minimum length unset, that is,
112        zero).
113    
114    11. If an assertion that was used as a condition was quantified with a minimum
115        of zero, matching went wrong. In particular, if the whole group had
116        unlimited repetition and could match an empty string, a segfault was
117        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
118        assertions to be quantified, but not if they are being used as conditions,
119        so the above pattern is faulted by Perl. PCRE has now been changed so that
120        it also rejects such patterns.
121    
122    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
123        failed to allow the zero-repeat case if pcre2_exec() was called with an
124        ovector too small to capture the group.
125    
126    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
127        Red Hat Product Security:
128    
129        (a) A crash if /K and /F were both set with the option to save the compiled
130        pattern.
131    
132        (b) Another crash if the option to print captured substrings in a callout
133        was combined with setting a null ovector, for example \O\C+ as a subject
134        string.
135    
136    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
137        forward reference repeated a large (but limited) number of times within a
138        repeated outer group that has a zero minimum quantifier, caused incorrect
139        code to be compiled, leading to the error "internal error:
140        previously-checked referenced subpattern not found" when an incorrect
141        memory address was read. This bug was reported as "heap overflow",
142        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
143        CVE-2015-2325.
144    
145    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
146        call within a group that also contained a recursive back reference caused
147        incorrect code to be compiled. This bug was reported as "heap overflow",
148        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
149        number CVE-2015-2326.
150    
151    24. Computing the size of the JIT read-only data in advance has been a source
152        of various issues, and new ones are still appear unfortunately. To fix
153        existing and future issues, size computation is eliminated from the code,
154        and replaced by on-demand memory allocation.
155    
156    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
157        adjacent to the end of the range, and the range contained characters with
158        more than one other case, caused incorrect behaviour when compiled in UTF
159        mode. In that example, the range a-j was left out of the class.
160    
161    26. Fix JIT compilation of conditional blocks, which assertion
162        is converted to (*FAIL). E.g: /(?(?!))/.
163    
164    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
165        discovered by the LLVM fuzzer.
166    
167    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
168        when this assertion was used as a condition, for example (?(?!)a|b). In
169        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
170        error about an unsupported item.
171    
172    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
173        possessification code could take exponential time to complete. A recursion
174        depth limit of 1000 has been imposed to limit the resources used by this
175        optimization.
176    
177    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
178        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
179        because \S ensures they are all in the class. The code for doing this was
180        interacting badly with the code for computing the amount of space needed to
181        compile the pattern, leading to a buffer overflow. This bug was discovered
182        by the LLVM fuzzer.
183    
184    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
185        other kinds of group caused stack overflow at compile time. This bug was
186        discovered by the LLVM fuzzer.
187    
188    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
189        between a subroutine call and its quantifier was incorrectly compiled,
190        leading to buffer overflow or other errors. This bug was discovered by the
191        LLVM fuzzer.
192    
193    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
194        assertion after (?(. The code was failing to check the character after
195        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
196        was discovered by the LLVM fuzzer.
197    
198    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
199        a fixed maximum following a group that contains a subroutine reference was
200        incorrectly compiled and could trigger buffer overflow. This bug was
201        discovered by the LLVM fuzzer.
202    
203    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
204        caused a stack overflow instead of the diagnosis of a non-fixed length
205        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
206    
207    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
208        (e.g. /(?<=\Ka)/) could make pcregrep loop.
209    
210    37. There was a similar problem to 36 in pcretest for global matches.
211    
212    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
213        and a subsequent item in the pattern caused a non-match, backtracking over
214        the repeated \X did not stop, but carried on past the start of the subject,
215        causing reference to random memory and/or a segfault. There were also some
216        other cases where backtracking after \C could crash. This set of bugs was
217        discovered by the LLVM fuzzer.
218    
219    39. The function for finding the minimum length of a matching string could take
220        a very long time if mutual recursion was present many times in a pattern,
221        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
222        method has been implemented. This infelicity was discovered by the LLVM
223        fuzzer.
224    
225    40. Static linking against the PCRE library using the pkg-config module was
226        failing on missing pthread symbols.
227    
228    
229    Version 8.36 26-September-2014
230    ------------------------------
231    
232    1.  Got rid of some compiler warnings in the C++ modules that were shown up by
233        -Wmissing-field-initializers and -Wunused-parameter.
234    
235    2.  The tests for quantifiers being too big (greater than 65535) were being
236        applied after reading the number, and stupidly assuming that integer
237        overflow would give a negative number. The tests are now applied as the
238        numbers are read.
239    
240    3.  Tidy code in pcre_exec.c where two branches that used to be different are
241        now the same.
242    
243    4.  The JIT compiler did not generate match limit checks for certain
244        bracketed expressions with quantifiers. This may lead to exponential
245        backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
246        issue should be resolved now.
247    
248    5.  Fixed an issue, which occures when nested alternatives are optimized
249        with table jumps.
250    
251    6.  Inserted two casts and changed some ints to size_t in the light of some
252        reported 64-bit compiler warnings (Bugzilla 1477).
253    
254    7.  Fixed a bug concerned with zero-minimum possessive groups that could match
255        an empty string, which sometimes were behaving incorrectly in the
256        interpreter (though correctly in the JIT matcher). This pcretest input is
257        an example:
258    
259          '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
260          NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
261    
262        the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
263        JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
264        for an empty string was breaking the inner loop and carrying on at a lower
265        level, when possessive repeated groups should always return to a higher
266        level as they have no backtrack points in them. The empty string test now
267        occurs at the outer level.
268    
269    8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
270        ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
271    
272    9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
273        doesn't).
274    
275    10. Change 8.34/15 introduced a bug that caused the amount of memory needed
276        to hold a pattern to be incorrectly computed (too small) when there were
277        named back references to duplicated names. This could cause "internal
278        error: code overflow" or "double free or corruption" or other memory
279        handling errors.
280    
281    11. When named subpatterns had the same prefixes, back references could be
282        confused. For example, in this pattern:
283    
284          /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
285    
286        the reference to 'Name' was incorrectly treated as a reference to a
287        duplicate name.
288    
289    12. A pattern such as /^s?c/mi8 where the optional character has more than
290        one "other case" was incorrectly compiled such that it would only try to
291        match starting at "c".
292    
293    13. When a pattern starting with \s was studied, VT was not included in the
294        list of possible starting characters; this should have been part of the
295        8.34/18 patch.
296    
297    14. If a character class started [\Qx]... where x is any character, the class
298        was incorrectly terminated at the ].
299    
300    15. If a pattern that started with a caseless match for a character with more
301        than one "other case" was studied, PCRE did not set up the starting code
302        unit bit map for the list of possible characters. Now it does. This is an
303        optimization improvement, not a bug fix.
304    
305    16. The Unicode data tables have been updated to Unicode 7.0.0.
306    
307    17. Fixed a number of memory leaks in pcregrep.
308    
309    18. Avoid a compiler warning (from some compilers) for a function call with
310        a cast that removes "const" from an lvalue by using an intermediate
311        variable (to which the compiler does not object).
312    
313    19. Incorrect code was compiled if a group that contained an internal recursive
314        back reference was optional (had quantifier with a minimum of zero). This
315        example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
316        caused segmentation faults because of stack overflows at compile time.
317    
318    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
319        group that is quantified with an indefinite repeat, caused a compile-time
320        loop which used up all the system stack and provoked a segmentation fault.
321        This was not the same bug as 19 above.
322    
323    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
324        Patch by Mike Frysinger.
325    
326    
327    Version 8.35 04-April-2014
328    --------------------------
329    
330  1.  A new flag is set, when property checks are present in an XCLASS.  1.  A new flag is set, when property checks are present in an XCLASS.
331      When this flag is not set, PCRE can perform certain optimizations      When this flag is not set, PCRE can perform certain optimizations
332      such as studying these XCLASS-es.      such as studying these XCLASS-es.
333    
334    2.  The auto-possessification of character sets were improved: a normal
335        and an extended character set can be compared now. Furthermore
336        the JIT compiler optimizes more character set checks.
337    
338    3.  Got rid of some compiler warnings for potentially uninitialized variables
339        that show up only when compiled with -O2.
340    
341    4.  A pattern such as (?=ab\K) that uses \K in an assertion can set the start
342        of a match later then the end of the match. The pcretest program was not
343        handling the case sensibly - it was outputting from the start to the next
344        binary zero. It now reports this situation in a message, and outputs the
345        text from the end to the start.
346    
347    5.  Fast forward search is improved in JIT. Instead of the first three
348        characters, any three characters with fixed position can be searched.
349        Search order: first, last, middle.
350    
351    6.  Improve character range checks in JIT. Characters are read by an inprecise
352        function now, which returns with an unknown value if the character code is
353        above a certain threshold (e.g: 256). The only limitation is that the value
354        must be bigger than the threshold as well. This function is useful when
355        the characters above the threshold are handled in the same way.
356    
357    7.  The macros whose names start with RAWUCHAR are placeholders for a future
358        mode in which only the bottom 21 bits of 32-bit data items are used. To
359        make this more memorable for those maintaining the code, the names have
360        been changed to start with UCHAR21, and an extensive comment has been added
361        to their definition.
362    
363    8.  Add missing (new) files sljitNativeTILEGX.c and sljitNativeTILEGX-encoder.c
364        to the export list in Makefile.am (they were accidentally omitted from the
365        8.34 tarball).
366    
367    9.  The informational output from pcretest used the phrase "starting byte set"
368        which is inappropriate for the 16-bit and 32-bit libraries. As the output
369        for "first char" and "need char" really means "non-UTF-char", I've changed
370        "byte" to "char", and slightly reworded the output. The documentation about
371        these values has also been (I hope) clarified.
372    
373    10. Another JIT related optimization: use table jumps for selecting the correct
374        backtracking path, when more than four alternatives are present inside a
375        bracket.
376    
377    11. Empty match is not possible, when the minimum length is greater than zero,
378        and there is no \K in the pattern. JIT should avoid empty match checks in
379        such cases.
380    
381    12. In a caseless character class with UCP support, when a character with more
382        than one alternative case was not the first character of a range, not all
383        the alternative cases were added to the class. For example, s and \x{17f}
384        are both alternative cases for S: the class [RST] was handled correctly,
385        but [R-T] was not.
386    
387    13. The configure.ac file always checked for pthread support when JIT was
388        enabled. This is not used in Windows, so I have put this test inside a
389        check for the presence of windows.h (which was already tested for).
390    
391    14. Improve pattern prefix search by a simplified Boyer-Moore algorithm in JIT.
392        The algorithm provides a way to skip certain starting offsets, and usually
393        faster than linear prefix searches.
394    
395    15. Change 13 for 8.20 updated RunTest to check for the 'fr' locale as well
396        as for 'fr_FR' and 'french'. For some reason, however, it then used the
397        Windows-specific input and output files, which have 'french' screwed in.
398        So this could never have worked. One of the problems with locales is that
399        they aren't always the same. I have now updated RunTest so that it checks
400        the output of the locale test (test 3) against three different output
401        files, and it allows the test to pass if any one of them matches. With luck
402        this should make the test pass on some versions of Solaris where it was
403        failing. Because of the uncertainty, the script did not used to stop if
404        test 3 failed; it now does. If further versions of a French locale ever
405        come to light, they can now easily be added.
406    
407    16. If --with-pcregrep-bufsize was given a non-integer value such as "50K",
408        there was a message during ./configure, but it did not stop. This now
409        provokes an error. The invalid example in README has been corrected.
410        If a value less than the minimum is given, the minimum value has always
411        been used, but now a warning is given.
412    
413    17. If --enable-bsr-anycrlf was set, the special 16/32-bit test failed. This
414        was a bug in the test system, which is now fixed. Also, the list of various
415        configurations that are tested for each release did not have one with both
416        16/32 bits and --enable-bar-anycrlf. It now does.
417    
418    18. pcretest was missing "-C bsr" for displaying the \R default setting.
419    
420    19. Little endian PowerPC systems are supported now by the JIT compiler.
421    
422    20. The fast forward newline mechanism could enter to an infinite loop on
423        certain invalid UTF-8 input. Although we don't support these cases
424        this issue can be fixed by a performance optimization.
425    
426    21. Change 33 of 8.34 is not sufficient to ensure stack safety because it does
427        not take account if existing stack usage. There is now a new global
428        variable called pcre_stack_guard that can be set to point to an external
429        function to check stack availability. It is called at the start of
430        processing every parenthesized group.
431    
432    22. A typo in the code meant that in ungreedy mode the max/min qualifier
433        behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did
434        not match "ab".
435    
436    23. When UTF was disabled, the JIT program reported some incorrect compile
437        errors. These messages are silenced now.
438    
439    24. Experimental support for ARM-64 and MIPS-64 has been added to the JIT
440        compiler.
441    
442    25. Change all the temporary files used in RunGrepTest to be different to those
443        used by RunTest so that the tests can be run simultaneously, for example by
444        "make -j check".
445    
446    
447  Version 8.34 15-December-2013  Version 8.34 15-December-2013
448  -----------------------------  -----------------------------

Legend:
Removed from v.1414  
changed lines
  Added in v.1567

  ViewVC Help
Powered by ViewVC 1.1.5