/[pcre]/code/trunk/ChangeLog
ViewVC logotype

Diff of /code/trunk/ChangeLog

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1462 by ph10, Mon Mar 10 16:28:54 2014 UTC revision 1615 by ph10, Sun Nov 29 17:46:23 2015 UTC
# Line 1  Line 1 
1  ChangeLog for PCRE  ChangeLog for PCRE
2  ------------------  ------------------
3    
4  Version 8.35-RC1 04-March-2014  Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
5    development is happening in the PCRE2 10.xx series.
6    
7    Version 8.39 xx-xxxxxx-201x
8    ---------------------------
9    
10    1.  If PCRE_AUTO_CALLOUT was set on a pattern that had a (?# comment between
11        an item and its qualifier (for example, A(?#comment)?B) pcre_compile()
12        misbehaved. This bug was found by the LLVM fuzzer.
13    
14    2.  Similar to the above, if an isolated \E was present between an item and its
15        qualifier when PCRE_AUTO_CALLOUT was set, pcre_compile() misbehaved. This
16        bug was found by the LLVM fuzzer.
17    
18    3.  Further to 8.38/46, negated classes such as [^[:^ascii:]\d] were also not
19        working correctly in UCP mode.
20    
21    4.  The POSIX wrapper function regexec() crashed if the option REG_STARTEND
22        was set when the pmatch argument was NULL. It now returns REG_INVARG.
23    
24    5.  Allow for up to 32-bit numbers in the ordin() function in pcregrep.
25    
26    
27    Version 8.38 23-November-2015
28    -----------------------------
29    
30    1.  If a group that contained a recursive back reference also contained a
31        forward reference subroutine call followed by a non-forward-reference
32        subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
33        compile correct code, leading to undefined behaviour or an internally
34        detected error. This bug was discovered by the LLVM fuzzer.
35    
36    2.  Quantification of certain items (e.g. atomic back references) could cause
37        incorrect code to be compiled when recursive forward references were
38        involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
39        This bug was discovered by the LLVM fuzzer.
40    
41    3.  A repeated conditional group whose condition was a reference by name caused
42        a buffer overflow if there was more than one group with the given name.
43        This bug was discovered by the LLVM fuzzer.
44    
45    4.  A recursive back reference by name within a group that had the same name as
46        another group caused a buffer overflow. For example:
47        /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
48    
49    5.  A forward reference by name to a group whose number is the same as the
50        current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
51        a buffer overflow at compile time. This bug was discovered by the LLVM
52        fuzzer.
53    
54    6.  A lookbehind assertion within a set of mutually recursive subpatterns could
55        provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
56    
57    7.  Another buffer overflow bug involved duplicate named groups with a
58        reference between their definition, with a group that reset capture
59        numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
60        fixed by always allowing for more memory, even if not needed. (A proper fix
61        is implemented in PCRE2, but it involves more refactoring.)
62    
63    8.  There was no check for integer overflow in subroutine calls such as (?123).
64    
65    9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
66        being treated as a literal 'l' instead of causing an error.
67    
68    10. There was a buffer overflow if pcre_exec() was called with an ovector of
69        size 1. This bug was found by american fuzzy lop.
70    
71    11. If a non-capturing group containing a conditional group that could match
72        an empty string was repeated, it was not identified as matching an empty
73        string itself. For example: /^(?:(?(1)x|)+)+$()/.
74    
75    12. In an EBCDIC environment, pcretest was mishandling the escape sequences
76        \a and \e in test subject lines.
77    
78    13. In an EBCDIC environment, \a in a pattern was converted to the ASCII
79        instead of the EBCDIC value.
80    
81    14. The handling of \c in an EBCDIC environment has been revised so that it is
82        now compatible with the specification in Perl's perlebcdic page.
83    
84    15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in
85        ASCII/Unicode. This has now been added to the list of characters that are
86        recognized as white space in EBCDIC.
87    
88    16. When PCRE was compiled without UCP support, the use of \p and \P gave an
89        error (correctly) when used outside a class, but did not give an error
90        within a class.
91    
92    17. \h within a class was incorrectly compiled in EBCDIC environments.
93    
94    18. A pattern with an unmatched closing parenthesis that contained a backward
95        assertion which itself contained a forward reference caused buffer
96        overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.
97    
98    19. JIT should return with error when the compiled pattern requires more stack
99        space than the maximum.
100    
101    20. A possessively repeated conditional group that could match an empty string,
102        for example, /(?(R))*+/, was incorrectly compiled.
103    
104    21. Fix infinite recursion in the JIT compiler when certain patterns such as
105        /(?:|a|){100}x/ are analysed.
106    
107    22. Some patterns with character classes involving [: and \\ were incorrectly
108        compiled and could cause reading from uninitialized memory or an incorrect
109        error diagnosis.
110    
111    23. Pathological patterns containing many nested occurrences of [: caused
112        pcre_compile() to run for a very long time.
113    
114    24. A conditional group with only one branch has an implicit empty alternative
115        branch and must therefore be treated as potentially matching an empty
116        string.
117    
118    25. If (?R was followed by - or + incorrect behaviour happened instead of a
119        diagnostic.
120    
121    26. Arrange to give up on finding the minimum matching length for overly
122        complex patterns.
123    
124    27. Similar to (4) above: in a pattern with duplicated named groups and an
125        occurrence of (?| it is possible for an apparently non-recursive back
126        reference to become recursive if a later named group with the relevant
127        number is encountered. This could lead to a buffer overflow. Wen Guanxing
128        from Venustech ADLAB discovered this bug.
129    
130    28. If pcregrep was given the -q option with -c or -l, or when handling a
131        binary file, it incorrectly wrote output to stdout.
132    
133    29. The JIT compiler did not restore the control verb head in case of *THEN
134        control verbs. This issue was found by Karl Skomski with a custom LLVM
135        fuzzer.
136    
137    30. Error messages for syntax errors following \g and \k were giving inaccurate
138        offsets in the pattern.
139    
140    31. Added a check for integer overflow in conditions (?(<digits>) and
141        (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
142        fuzzer.
143    
144    32. Handling recursive references such as (?2) when the reference is to a group
145        later in the pattern uses code that is very hacked about and error-prone.
146        It has been re-written for PCRE2. Here in PCRE1, a check has been added to
147        give an internal error if it is obvious that compiling has gone wrong.
148    
149    33. The JIT compiler should not check repeats after a {0,1} repeat byte code.
150        This issue was found by Karl Skomski with a custom LLVM fuzzer.
151    
152    34. The JIT compiler should restore the control chain for empty possessive
153        repeats. This issue was found by Karl Skomski with a custom LLVM fuzzer.
154    
155    35. Match limit check added to JIT recursion. This issue was found by Karl
156        Skomski with a custom LLVM fuzzer.
157    
158    36. Yet another case similar to 27 above has been circumvented by an
159        unconditional allocation of extra memory. This issue is fixed "properly" in
160        PCRE2 by refactoring the way references are handled. Wen Guanxing
161        from Venustech ADLAB discovered this bug.
162    
163    37. Fix two assertion fails in JIT. These issues were found by Karl Skomski
164        with a custom LLVM fuzzer.
165    
166    38. Fixed a corner case of range optimization in JIT.
167    
168    39. An incorrect error "overran compiling workspace" was given if there were
169        exactly enough group forward references such that the last one extended
170        into the workspace safety margin. The next one would have expanded the
171        workspace. The test for overflow was not including the safety margin.
172    
173    40. A match limit issue is fixed in JIT which was found by Karl Skomski
174        with a custom LLVM fuzzer.
175    
176    41. Remove the use of /dev/null in testdata/testinput2, because it doesn't
177        work under Windows. (Why has it taken so long for anyone to notice?)
178    
179    42. In a character class such as [\W\p{Any}] where both a negative-type escape
180        ("not a word character") and a property escape were present, the property
181        escape was being ignored.
182    
183    43. Fix crash caused by very long (*MARK) or (*THEN) names.
184    
185    44. A sequence such as [[:punct:]b] that is, a POSIX character class followed
186        by a single ASCII character in a class item, was incorrectly compiled in
187        UCP mode. The POSIX class got lost, but only if the single character
188        followed it.
189    
190    45. [:punct:] in UCP mode was matching some characters in the range 128-255
191        that should not have been matched.
192    
193    46. If [:^ascii:] or [:^xdigit:] or [:^cntrl:] are present in a non-negated
194        class, all characters with code points greater than 255 are in the class.
195        When a Unicode property was also in the class (if PCRE_UCP is set, escapes
196        such as \w are turned into Unicode properties), wide characters were not
197        correctly handled, and could fail to match.
198    
199    
200    Version 8.37 28-April-2015
201    --------------------------
202    
203    1.  When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
204        for those parentheses to be closed with whatever has been captured so far.
205        However, it was failing to mark any other groups between the hightest
206        capture so far and the currrent group as "unset". Thus, the ovector for
207        those groups contained whatever was previously there. An example is the
208        pattern /(x)|((*ACCEPT))/ when matched against "abcd".
209    
210    2.  If an assertion condition was quantified with a minimum of zero (an odd
211        thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
212    
213    3.  If a pattern in pcretest input had the P (POSIX) modifier followed by an
214        unrecognized modifier, a crash could occur.
215    
216    4.  An attempt to do global matching in pcretest with a zero-length ovector
217        caused a crash.
218    
219    5.  Fixed a memory leak during matching that could occur for a subpattern
220        subroutine call (recursive or otherwise) if the number of captured groups
221        that had to be saved was greater than ten.
222    
223    6.  Catch a bad opcode during auto-possessification after compiling a bad UTF
224        string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
225        UTF with NO_UTF_CHECK is documented as having an undefined outcome.
226    
227    7.  A UTF pattern containing a "not" match of a non-ASCII character and a
228        subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
229    
230    8. When a pattern is compiled, it remembers the highest back reference so that
231       when matching, if the ovector is too small, extra memory can be obtained to
232       use instead. A conditional subpattern whose condition is a check on a
233       capture having happened, such as, for example in the pattern
234       /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not
235       setting the highest backreference number. This mattered only if pcre_exec()
236       was called with an ovector that was too small to hold the capture, and there
237       was no other kind of back reference (a situation which is probably quite
238       rare). The effect of the bug was that the condition was always treated as
239       FALSE when the capture could not be consulted, leading to a incorrect
240       behaviour by pcre_exec(). This bug has been fixed.
241    
242    9. A reference to a duplicated named group (either a back reference or a test
243       for being set in a conditional) that occurred in a part of the pattern where
244       PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern
245       to be incorrectly calculated, leading to overwriting.
246    
247    10. A mutually recursive set of back references such as (\2)(\1) caused a
248        segfault at study time (while trying to find the minimum matching length).
249        The infinite loop is now broken (with the minimum length unset, that is,
250        zero).
251    
252    11. If an assertion that was used as a condition was quantified with a minimum
253        of zero, matching went wrong. In particular, if the whole group had
254        unlimited repetition and could match an empty string, a segfault was
255        likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows
256        assertions to be quantified, but not if they are being used as conditions,
257        so the above pattern is faulted by Perl. PCRE has now been changed so that
258        it also rejects such patterns.
259    
260    12. A possessive capturing group such as (a)*+ with a minimum repeat of zero
261        failed to allow the zero-repeat case if pcre2_exec() was called with an
262        ovector too small to capture the group.
263    
264    13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
265        Red Hat Product Security:
266    
267        (a) A crash if /K and /F were both set with the option to save the compiled
268        pattern.
269    
270        (b) Another crash if the option to print captured substrings in a callout
271        was combined with setting a null ovector, for example \O\C+ as a subject
272        string.
273    
274    14. A pattern such as "((?2){0,1999}())?", which has a group containing a
275        forward reference repeated a large (but limited) number of times within a
276        repeated outer group that has a zero minimum quantifier, caused incorrect
277        code to be compiled, leading to the error "internal error:
278        previously-checked referenced subpattern not found" when an incorrect
279        memory address was read. This bug was reported as "heap overflow",
280        discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
281        CVE-2015-2325.
282    
283    23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
284        call within a group that also contained a recursive back reference caused
285        incorrect code to be compiled. This bug was reported as "heap overflow",
286        discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
287        number CVE-2015-2326.
288    
289    24. Computing the size of the JIT read-only data in advance has been a source
290        of various issues, and new ones are still appear unfortunately. To fix
291        existing and future issues, size computation is eliminated from the code,
292        and replaced by on-demand memory allocation.
293    
294    25. A pattern such as /(?i)[A-`]/, where characters in the other case are
295        adjacent to the end of the range, and the range contained characters with
296        more than one other case, caused incorrect behaviour when compiled in UTF
297        mode. In that example, the range a-j was left out of the class.
298    
299    26. Fix JIT compilation of conditional blocks, which assertion
300        is converted to (*FAIL). E.g: /(?(?!))/.
301    
302    27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
303        discovered by the LLVM fuzzer.
304    
305    28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
306        when this assertion was used as a condition, for example (?(?!)a|b). In
307        pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
308        error about an unsupported item.
309    
310    29. For some types of pattern, for example /Z*(|d*){216}/, the auto-
311        possessification code could take exponential time to complete. A recursion
312        depth limit of 1000 has been imposed to limit the resources used by this
313        optimization.
314    
315    30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
316        such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
317        because \S ensures they are all in the class. The code for doing this was
318        interacting badly with the code for computing the amount of space needed to
319        compile the pattern, leading to a buffer overflow. This bug was discovered
320        by the LLVM fuzzer.
321    
322    31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside
323        other kinds of group caused stack overflow at compile time. This bug was
324        discovered by the LLVM fuzzer.
325    
326    32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
327        between a subroutine call and its quantifier was incorrectly compiled,
328        leading to buffer overflow or other errors. This bug was discovered by the
329        LLVM fuzzer.
330    
331    33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an
332        assertion after (?(. The code was failing to check the character after
333        (?(?< for the ! or = that would indicate a lookbehind assertion. This bug
334        was discovered by the LLVM fuzzer.
335    
336    34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
337        a fixed maximum following a group that contains a subroutine reference was
338        incorrectly compiled and could trigger buffer overflow. This bug was
339        discovered by the LLVM fuzzer.
340    
341    35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1)))
342        caused a stack overflow instead of the diagnosis of a non-fixed length
343        lookbehind assertion. This bug was discovered by the LLVM fuzzer.
344    
345    36. The use of \K in a positive lookbehind assertion in a non-anchored pattern
346        (e.g. /(?<=\Ka)/) could make pcregrep loop.
347    
348    37. There was a similar problem to 36 in pcretest for global matches.
349    
350    38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*),
351        and a subsequent item in the pattern caused a non-match, backtracking over
352        the repeated \X did not stop, but carried on past the start of the subject,
353        causing reference to random memory and/or a segfault. There were also some
354        other cases where backtracking after \C could crash. This set of bugs was
355        discovered by the LLVM fuzzer.
356    
357    39. The function for finding the minimum length of a matching string could take
358        a very long time if mutual recursion was present many times in a pattern,
359        for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection
360        method has been implemented. This infelicity was discovered by the LLVM
361        fuzzer.
362    
363    40. Static linking against the PCRE library using the pkg-config module was
364        failing on missing pthread symbols.
365    
366    
367    Version 8.36 26-September-2014
368  ------------------------------  ------------------------------
369    
370    1.  Got rid of some compiler warnings in the C++ modules that were shown up by
371        -Wmissing-field-initializers and -Wunused-parameter.
372    
373    2.  The tests for quantifiers being too big (greater than 65535) were being
374        applied after reading the number, and stupidly assuming that integer
375        overflow would give a negative number. The tests are now applied as the
376        numbers are read.
377    
378    3.  Tidy code in pcre_exec.c where two branches that used to be different are
379        now the same.
380    
381    4.  The JIT compiler did not generate match limit checks for certain
382        bracketed expressions with quantifiers. This may lead to exponential
383        backtracking, instead of returning with PCRE_ERROR_MATCHLIMIT. This
384        issue should be resolved now.
385    
386    5.  Fixed an issue, which occures when nested alternatives are optimized
387        with table jumps.
388    
389    6.  Inserted two casts and changed some ints to size_t in the light of some
390        reported 64-bit compiler warnings (Bugzilla 1477).
391    
392    7.  Fixed a bug concerned with zero-minimum possessive groups that could match
393        an empty string, which sometimes were behaving incorrectly in the
394        interpreter (though correctly in the JIT matcher). This pcretest input is
395        an example:
396    
397          '\A(?:[^"]++|"(?:[^"]*+|"")*+")++'
398          NON QUOTED "QUOT""ED" AFTER "NOT MATCHED
399    
400        the interpreter was reporting a match of 'NON QUOTED ' only, whereas the
401        JIT matcher and Perl both matched 'NON QUOTED "QUOT""ED" AFTER '. The test
402        for an empty string was breaking the inner loop and carrying on at a lower
403        level, when possessive repeated groups should always return to a higher
404        level as they have no backtrack points in them. The empty string test now
405        occurs at the outer level.
406    
407    8.  Fixed a bug that was incorrectly auto-possessifying \w+ in the pattern
408        ^\w+(?>\s*)(?<=\w) which caused it not to match "test test".
409    
410    9.  Give a compile-time error for \o{} (as Perl does) and for \x{} (which Perl
411        doesn't).
412    
413    10. Change 8.34/15 introduced a bug that caused the amount of memory needed
414        to hold a pattern to be incorrectly computed (too small) when there were
415        named back references to duplicated names. This could cause "internal
416        error: code overflow" or "double free or corruption" or other memory
417        handling errors.
418    
419    11. When named subpatterns had the same prefixes, back references could be
420        confused. For example, in this pattern:
421    
422          /(?P<Name>a)?(?P<Name2>b)?(?(<Name>)c|d)*l/
423    
424        the reference to 'Name' was incorrectly treated as a reference to a
425        duplicate name.
426    
427    12. A pattern such as /^s?c/mi8 where the optional character has more than
428        one "other case" was incorrectly compiled such that it would only try to
429        match starting at "c".
430    
431    13. When a pattern starting with \s was studied, VT was not included in the
432        list of possible starting characters; this should have been part of the
433        8.34/18 patch.
434    
435    14. If a character class started [\Qx]... where x is any character, the class
436        was incorrectly terminated at the ].
437    
438    15. If a pattern that started with a caseless match for a character with more
439        than one "other case" was studied, PCRE did not set up the starting code
440        unit bit map for the list of possible characters. Now it does. This is an
441        optimization improvement, not a bug fix.
442    
443    16. The Unicode data tables have been updated to Unicode 7.0.0.
444    
445    17. Fixed a number of memory leaks in pcregrep.
446    
447    18. Avoid a compiler warning (from some compilers) for a function call with
448        a cast that removes "const" from an lvalue by using an intermediate
449        variable (to which the compiler does not object).
450    
451    19. Incorrect code was compiled if a group that contained an internal recursive
452        back reference was optional (had quantifier with a minimum of zero). This
453        example compiled incorrect code: /(((a\2)|(a*)\g<-1>))*/ and other examples
454        caused segmentation faults because of stack overflows at compile time.
455    
456    20. A pattern such as /((?(R)a|(?1)))+/, which contains a recursion within a
457        group that is quantified with an indefinite repeat, caused a compile-time
458        loop which used up all the system stack and provoked a segmentation fault.
459        This was not the same bug as 19 above.
460    
461    21. Add PCRECPP_EXP_DECL declaration to operator<< in pcre_stringpiece.h.
462        Patch by Mike Frysinger.
463    
464    
465    Version 8.35 04-April-2014
466    --------------------------
467    
468  1.  A new flag is set, when property checks are present in an XCLASS.  1.  A new flag is set, when property checks are present in an XCLASS.
469      When this flag is not set, PCRE can perform certain optimizations      When this flag is not set, PCRE can perform certain optimizations
470      such as studying these XCLASS-es.      such as studying these XCLASS-es.
# Line 27  Version 8.35-RC1 04-March-2014 Line 488  Version 8.35-RC1 04-March-2014
488    
489  6.  Improve character range checks in JIT. Characters are read by an inprecise  6.  Improve character range checks in JIT. Characters are read by an inprecise
490      function now, which returns with an unknown value if the character code is      function now, which returns with an unknown value if the character code is
491      above a certain treshold (e.g: 256). The only limitation is that the value      above a certain threshold (e.g: 256). The only limitation is that the value
492      must be bigger than the treshold as well. This function is useful, when      must be bigger than the threshold as well. This function is useful when
493      the characters above the treshold are handled in the same way.      the characters above the threshold are handled in the same way.
494    
495  7.  The macros whose names start with RAWUCHAR are placeholders for a future  7.  The macros whose names start with RAWUCHAR are placeholders for a future
496      mode in which only the bottom 21 bits of 32-bit data items are used. To      mode in which only the bottom 21 bits of 32-bit data items are used. To
# Line 105  Version 8.35-RC1 04-March-2014 Line 566  Version 8.35-RC1 04-March-2014
566      variable called pcre_stack_guard that can be set to point to an external      variable called pcre_stack_guard that can be set to point to an external
567      function to check stack availability. It is called at the start of      function to check stack availability. It is called at the start of
568      processing every parenthesized group.      processing every parenthesized group.
569    
570  22. A typo in the code meant that in ungreedy mode the max/min qualifier  22. A typo in the code meant that in ungreedy mode the max/min qualifier
571      behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did      behaved like a min-possessive qualifier, and, for example, /a{1,3}b/U did
572      not match "ab".      not match "ab".
573    
574    23. When UTF was disabled, the JIT program reported some incorrect compile
575        errors. These messages are silenced now.
576    
577    24. Experimental support for ARM-64 and MIPS-64 has been added to the JIT
578        compiler.
579    
580    25. Change all the temporary files used in RunGrepTest to be different to those
581        used by RunTest so that the tests can be run simultaneously, for example by
582        "make -j check".
583    
584    
585  Version 8.34 15-December-2013  Version 8.34 15-December-2013
586  -----------------------------  -----------------------------

Legend:
Removed from v.1462  
changed lines
  Added in v.1615

  ViewVC Help
Powered by ViewVC 1.1.5