/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1462 by ph10, Mon Mar 10 16:28:54 2014 UTC revision 1566 by ph10, Tue Jun 9 17:45:25 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.35-RC1 04-March-2014  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5    development is happening in the PCRE2 10.xx series.
6    
7    Version 8.38 xx-xxx-xxxx
8    ------------------------
9    
10    1.  If a group that contained a recursive back reference also contained a
11        forward reference subroutine call followed by a non-forward-reference
12        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
13        compile correct code, leading to undefined behaviour or an internally
14        detected error. This bug was discovered by the LLVM fuzzer.
15    
16    2.  Quantification of certain items (e.g. atomic back references) could cause
17        incorrect code to be compiled when recursive forward references were
18        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
19        This bug was discovered by the LLVM fuzzer.
20    
21    3.  A repeated conditional group whose condition was a reference by name caused
22        a buffer overflow if there was more than one group with the given name.
23        This bug was discovered by the LLVM fuzzer.
24    
25    4.  A recursive back reference by name within a group that had the same name as
26        another group caused a buffer overflow. For example:
27        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
28    
29    5.  A forward reference by name to a group whose number is the same as the
30        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
31        a buffer overflow at compile time. This bug was discovered by the LLVM
32        fuzzer.
33    
34    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
35        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
36    
37    7.  Another buffer overflow bug involved duplicate named groups with a
38        reference between their definition, with a group that reset capture
39        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
40        fixed by always allowing for more memory, even if not needed. (A proper fix
41        is implemented in PCRE2, but it involves more refactoring.)
42    
43    8.  There was no check for integer overflow in subroutine calls such as (?123).
44    
45    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
46        being treated as a literal 'l' instead of causing an error.
47    
48    10. There was a buffer overflow if pcre_exec() was called with an ovector of
49        size 1. This bug was found by american fuzzy lop.
50    
51    11. If a non-capturing group containing a conditional group that could match
52        an empty string was repeated, it was not identified as matching an empty
53        string itself. For example: /^(?:(?(1)x|)+)+$()/.
54    
55    
56    Version 8.37 28-April-2015
57    --------------------------
58    
59    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
60        for those parentheses to be closed with whatever has been captured so far.
61        However, it was failing to mark any other groups between the hightest
62        capture so far and the currrent group as "unset". Thus, the ovector for
63        those groups contained whatever was previously there. An example is the
64        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
65    
66    2.  If an assertion condition was quantified with a minimum of zero (an odd
67        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
68    
69    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
70        unrecognized modifier, a crash could occur.
71    
72    4.  An attempt to do global matching in pcretest with a zero-length ovector
73        caused a crash.
74    
75    5.  Fixed a memory leak during matching that could occur for a subpattern
76        subroutine call (recursive or otherwise) if the number of captured groups
77        that had to be saved was greater than ten.
78    
79    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
80        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
81        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
82    
83    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
84        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
85    
86    8. When a pattern is compiled, it remembers the highest back reference so that
87       when matching, if the ovector is too small, extra memory can be obtained to
88       use instead. A conditional subpattern whose condition is a check on a
89       capture having happened, such as, for example in the pattern
90       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
91       setting the highest backreference number. This mattered only if pcre_exec()
92       was called with an ovector that was too small to hold the capture, and there
93       was no other kind of back reference (a situation which is probably quite
94       rare). The effect of the bug was that the condition was always treated as
95       FALSE when the capture could not be consulted, leading to a incorrect
96       behaviour by pcre_exec(). This bug has been fixed.
97    
98    9. A reference to a duplicated named group (either a back reference or a test
99       for being set in a conditional) that occurred in a part of the pattern where
100       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
101       to be incorrectly calculated, leading to overwriting.
102    
103    10. A mutually recursive set of back references such as (\2)(\1) caused a
104        segfault at study time (while trying to find the minimum matching length).
105        The infinite loop is now broken (with the minimum length unset, that is,
106        zero).
107    
108    11. If an assertion that was used as a condition was quantified with a minimum
109        of zero, matching went wrong. In particular, if the whole group had
110        unlimited repetition and could match an empty string, a segfault was
111        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
112        assertions to be quantified, but not if they are being used as conditions,
113        so the above pattern is faulted by Perl. PCRE has now been changed so that
114        it also rejects such patterns.
115    
116    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
117        failed to allow the zero-repeat case if pcre2_exec() was called with an
118        ovector too small to capture the group.
119    
120    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
121        Red Hat Product Security:
122    
123        (a) A crash if /K and /F were both set with the option to save the compiled
124        pattern.
125    
126        (b) Another crash if the option to print captured substrings in a callout
127        was combined with setting a null ovector, for example \O\C+ as a subject
128        string.
129    
130    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
131        forward reference repeated a large (but limited) number of times within a
132        repeated outer group that has a zero minimum quantifier, caused incorrect
133        code to be compiled, leading to the error "internal error:
134        previously-checked referenced subpattern not found" when an incorrect
135        memory address was read. This bug was reported as "heap overflow",
136        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
137        CVE-2015-2325.
138    
139    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
140        call within a group that also contained a recursive back reference caused
141        incorrect code to be compiled. This bug was reported as "heap overflow",
142        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
143        number CVE-2015-2326.
144    
145    24. Computing the size of the JIT read-only data in advance has been a source
146        of various issues, and new ones are still appear unfortunately. To fix
147        existing and future issues, size computation is eliminated from the code,
148        and replaced by on-demand memory allocation.
149    
150    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
151        adjacent to the end of the range, and the range contained characters with
152        more than one other case, caused incorrect behaviour when compiled in UTF
153        mode. In that example, the range a-j was left out of the class.
154    
155    26. Fix JIT compilation of conditional blocks, which assertion
156        is converted to (*FAIL). E.g: /(?(?!))/.
157    
158    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
159        discovered by the LLVM fuzzer.
160    
161    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
162        when this assertion was used as a condition, for example (?(?!)a|b). In
163        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
164        error about an unsupported item.
165    
166    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
167        possessification code could take exponential time to complete. A recursion
168        depth limit of 1000 has been imposed to limit the resources used by this
169        optimization.
170    
171    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
172        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
173        because \S ensures they are all in the class. The code for doing this was
174        interacting badly with the code for computing the amount of space needed to
175        compile the pattern, leading to a buffer overflow. This bug was discovered
176        by the LLVM fuzzer.
177    
178    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
179        other kinds of group caused stack overflow at compile time. This bug was
180        discovered by the LLVM fuzzer.
181    
182    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
183        between a subroutine call and its quantifier was incorrectly compiled,
184        leading to buffer overflow or other errors. This bug was discovered by the
185        LLVM fuzzer.
186    
187    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
188        assertion after (?(. The code was failing to check the character after
189        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
190        was discovered by the LLVM fuzzer.
191    
192    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
193        a fixed maximum following a group that contains a subroutine reference was
194        incorrectly compiled and could trigger buffer overflow. This bug was
195        discovered by the LLVM fuzzer.
196    
197    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
198        caused a stack overflow instead of the diagnosis of a non-fixed length
199        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
200    
201    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
202        (e.g. /(?<=\Ka)/) could make pcregrep loop.
203    
204    37. There was a similar problem to 36 in pcretest for global matches.
205    
206    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
207        and a subsequent item in the pattern caused a non-match, backtracking over
208        the repeated \X did not stop, but carried on past the start of the subject,
209        causing reference to random memory and/or a segfault. There were also some
210        other cases where backtracking after \C could crash. This set of bugs was
211        discovered by the LLVM fuzzer.
212    
213    39. The function for finding the minimum length of a matching string could take
214        a very long time if mutual recursion was present many times in a pattern,
215        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
216        method has been implemented. This infelicity was discovered by the LLVM
217        fuzzer.
218    
219    40. Static linking against the PCRE library using the pkg-config module was
220        failing on missing pthread symbols.
221    
222    
223    Version 8.36 26-September-2014
224  ------------------------------  ------------------------------
225    
226    1.  Got rid of some compiler warnings in the C++ modules that were shown up by
227        -Wmissing-field-initializers and -Wunused-parameter.
228    
229    2.  The tests for quantifiers being too big (greater than 65535) were being
230        applied after reading the number, and stupidly assuming that integer
231        overflow would give a negative number. The tests are now applied as the
232        numbers are read.
233    
234    3.  Tidy code in pcre_exec.c where two branches that used to be different are
235        now the same.
236    
237    4.  The JIT compiler did not generate match limit checks for certain
238        bracketed expressions with quantifiers. This may lead to exponential
239        backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
240        issue should be resolved now.
241    
242    5.  Fixed an issue, which occures when nested alternatives are optimized
243        with table jumps.
244    
245    6.  Inserted two casts and changed some ints to size_t in the light of some
246        reported 64-bit compiler warnings (Bugzilla 1477).
247    
248    7.  Fixed a bug concerned with zero-minimum possessive groups that could match
249        an empty string, which sometimes were behaving incorrectly in the
250        interpreter (though correctly in the JIT matcher). This pcretest input is
251        an example:
252    
253          '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
254          NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
255    
256        the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
257        JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
258        for an empty string was breaking the inner loop and carrying on at a lower
259        level, when possessive repeated groups should always return to a higher
260        level as they have no backtrack points in them. The empty string test now
261        occurs at the outer level.
262    
263    8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
264        ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
265    
266    9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
267        doesn't).
268    
269    10. Change 8.34/15 introduced a bug that caused the amount of memory needed
270        to hold a pattern to be incorrectly computed (too small) when there were
271        named back references to duplicated names. This could cause "internal
272        error: code overflow" or "double free or corruption" or other memory
273        handling errors.
274    
275    11. When named subpatterns had the same prefixes, back references could be
276        confused. For example, in this pattern:
277    
278          /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
279    
280        the reference to 'Name' was incorrectly treated as a reference to a
281        duplicate name.
282    
283    12. A pattern such as /^s?c/mi8 where the optional character has more than
284        one "other case" was incorrectly compiled such that it would only try to
285        match starting at "c".
286    
287    13. When a pattern starting with \s was studied, VT was not included in the
288        list of possible starting characters; this should have been part of the
289        8.34/18 patch.
290    
291    14. If a character class started [\Qx]... where x is any character, the class
292        was incorrectly terminated at the ].
293    
294    15. If a pattern that started with a caseless match for a character with more
295        than one "other case" was studied, PCRE did not set up the starting code
296        unit bit map for the list of possible characters. Now it does. This is an
297        optimization improvement, not a bug fix.
298    
299    16. The Unicode data tables have been updated to Unicode 7.0.0.
300    
301    17. Fixed a number of memory leaks in pcregrep.
302    
303    18. Avoid a compiler warning (from some compilers) for a function call with
304        a cast that removes "const" from an lvalue by using an intermediate
305        variable (to which the compiler does not object).
306    
307    19. Incorrect code was compiled if a group that contained an internal recursive
308        back reference was optional (had quantifier with a minimum of zero). This
309        example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
310        caused segmentation faults because of stack overflows at compile time.
311    
312    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
313        group that is quantified with an indefinite repeat, caused a compile-time
314        loop which used up all the system stack and provoked a segmentation fault.
315        This was not the same bug as 19 above.
316    
317    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
318        Patch by Mike Frysinger.
319    
320    
321    Version 8.35 04-April-2014
322    --------------------------
323    
324  1.  A new flag is set, when property checks are present in an XCLASS.  1.  A new flag is set, when property checks are present in an XCLASS.
325      When this flag is not set, PCRE can perform certain optimizations      When this flag is not set, PCRE can perform certain optimizations
326      such as studying these XCLASS-es.      such as studying these XCLASS-es.
# Line 27  Version 8.35-RC1 04-March-2014 Line 344  Version 8.35-RC1 04-March-2014
344    
345  6.  Improve character range checks in JIT. Characters are read by an inprecise  6.  Improve character range checks in JIT. Characters are read by an inprecise
346      function now, which returns with an unknown value if the character code is      function now, which returns with an unknown value if the character code is
347      above a certain treshold (e.g: 256). The only limitation is that the value      above a certain threshold (e.g: 256). The only limitation is that the value
348      must be bigger than the treshold as well. This function is useful, when      must be bigger than the threshold as well. This function is useful when
349      the characters above the treshold are handled in the same way.      the characters above the threshold are handled in the same way.
350    
351  7.  The macros whose names start with RAWUCHAR are placeholders for a future  7.  The macros whose names start with RAWUCHAR are placeholders for a future
352      mode in which only the bottom 21 bits of 32-bit data items are used. To      mode in which only the bottom 21 bits of 32-bit data items are used. To
# Line 105  Version 8.35-RC1 04-March-2014 Line 422  Version 8.35-RC1 04-March-2014
422      variable called pcre_stack_guard that can be set to point to an external      variable called pcre_stack_guard that can be set to point to an external
423      function to check stack availability. It is called at the start of      function to check stack availability. It is called at the start of
424      processing every parenthesized group.      processing every parenthesized group.
425    
426  22. A typo in the code meant that in ungreedy mode the max/min qualifier  22. A typo in the code meant that in ungreedy mode the max/min qualifier
427      behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did      behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did
428      not match "ab".      not match "ab".
429    
430    23. When UTF was disabled, the JIT program reported some incorrect compile
431        errors. These messages are silenced now.
432    
433    24. Experimental support for ARM-64 and MIPS-64 has been added to the JIT
434        compiler.
435    
436    25. Change all the temporary files used in RunGrepTest to be different to those
437        used by RunTest so that the tests can be run simultaneously, for example by
438        "make -j check".
439    
440    
441  Version 8.34 15-December-2013  Version 8.34 15-December-2013
442  -----------------------------  -----------------------------

Legend:
Removed from v.1462  
changed lines
  Added in v.1566

  ViewVC Help
Powered by ViewVC 1.1.5