diff options
Diffstat (limited to 'pcre/ChangeLog')
| -rw-r--r-- | pcre/ChangeLog | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/pcre/ChangeLog b/pcre/ChangeLog index 8abdfb5f117..359b4129582 100644 --- a/pcre/ChangeLog +++ b/pcre/ChangeLog @@ -1,6 +1,173 @@ ChangeLog for PCRE ------------------ +Version 8.37 28-April-2015 +-------------------------- + +1. When an (*ACCEPT) is triggered inside capturing parentheses, it arranges + for those parentheses to be closed with whatever has been captured so far. + However, it was failing to mark any other groups between the hightest + capture so far and the currrent group as "unset". Thus, the ovector for + those groups contained whatever was previously there. An example is the + pattern /(x)|((*ACCEPT))/ when matched against "abcd". + +2. If an assertion condition was quantified with a minimum of zero (an odd + thing to do, but it happened), SIGSEGV or other misbehaviour could occur. + +3. If a pattern in pcretest input had the P (POSIX) modifier followed by an + unrecognized modifier, a crash could occur. + +4. An attempt to do global matching in pcretest with a zero-length ovector + caused a crash. + +5. Fixed a memory leak during matching that could occur for a subpattern + subroutine call (recursive or otherwise) if the number of captured groups + that had to be saved was greater than ten. + +6. Catch a bad opcode during auto-possessification after compiling a bad UTF + string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad + UTF with NO_UTF_CHECK is documented as having an undefined outcome. + +7. A UTF pattern containing a "not" match of a non-ASCII character and a + subroutine reference could loop at compile time. Example: /[^\xff]((?1))/. + +8. When a pattern is compiled, it remembers the highest back reference so that + when matching, if the ovector is too small, extra memory can be obtained to + use instead. A conditional subpattern whose condition is a check on a + capture having happened, such as, for example in the pattern + /^(?:(a)|b)(?(1)A|B)/, is another kind of back reference, but it was not + setting the highest backreference number. This mattered only if pcre_exec() + was called with an ovector that was too small to hold the capture, and there + was no other kind of back reference (a situation which is probably quite + rare). The effect of the bug was that the condition was always treated as + FALSE when the capture could not be consulted, leading to a incorrect + behaviour by pcre_exec(). This bug has been fixed. + +9. A reference to a duplicated named group (either a back reference or a test + for being set in a conditional) that occurred in a part of the pattern where + PCRE_DUPNAMES was not set caused the amount of memory needed for the pattern + to be incorrectly calculated, leading to overwriting. + +10. A mutually recursive set of back references such as (\2)(\1) caused a + segfault at study time (while trying to find the minimum matching length). + The infinite loop is now broken (with the minimum length unset, that is, + zero). + +11. If an assertion that was used as a condition was quantified with a minimum + of zero, matching went wrong. In particular, if the whole group had + unlimited repetition and could match an empty string, a segfault was + likely. The pattern (?(?=0)?)+ is an example that caused this. Perl allows + assertions to be quantified, but not if they are being used as conditions, + so the above pattern is faulted by Perl. PCRE has now been changed so that + it also rejects such patterns. + +12. A possessive capturing group such as (a)*+ with a minimum repeat of zero + failed to allow the zero-repeat case if pcre2_exec() was called with an + ovector too small to capture the group. + +13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by + Red Hat Product Security: + + (a) A crash if /K and /F were both set with the option to save the compiled + pattern. + + (b) Another crash if the option to print captured substrings in a callout + was combined with setting a null ovector, for example \O\C+ as a subject + string. + +14. A pattern such as "((?2){0,1999}())?", which has a group containing a + forward reference repeated a large (but limited) number of times within a + repeated outer group that has a zero minimum quantifier, caused incorrect + code to be compiled, leading to the error "internal error: + previously-checked referenced subpattern not found" when an incorrect + memory address was read. This bug was reported as "heap overflow", + discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number + CVE-2015-2325. + +23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine + call within a group that also contained a recursive back reference caused + incorrect code to be compiled. This bug was reported as "heap overflow", + discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE + number CVE-2015-2326. + +24. Computing the size of the JIT read-only data in advance has been a source + of various issues, and new ones are still appear unfortunately. To fix + existing and future issues, size computation is eliminated from the code, + and replaced by on-demand memory allocation. + +25. A pattern such as /(?i)[A-`]/, where characters in the other case are + adjacent to the end of the range, and the range contained characters with + more than one other case, caused incorrect behaviour when compiled in UTF + mode. In that example, the range a-j was left out of the class. + +26. Fix JIT compilation of conditional blocks, which assertion + is converted to (*FAIL). E.g: /(?(?!))/. + +27. The pattern /(?(?!)^)/ caused references to random memory. This bug was + discovered by the LLVM fuzzer. + +28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly + when this assertion was used as a condition, for example (?(?!)a|b). In + pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect + error about an unsupported item. + +29. For some types of pattern, for example /Z*(|d*){216}/, the auto- + possessification code could take exponential time to complete. A recursion + depth limit of 1000 has been imposed to limit the resources used by this + optimization. + +30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class + such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored + because \S ensures they are all in the class. The code for doing this was + interacting badly with the code for computing the amount of space needed to + compile the pattern, leading to a buffer overflow. This bug was discovered + by the LLVM fuzzer. + +31. A pattern such as /((?2)+)((?1))/ which has mutual recursion nested inside + other kinds of group caused stack overflow at compile time. This bug was + discovered by the LLVM fuzzer. + +32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment + between a subroutine call and its quantifier was incorrectly compiled, + leading to buffer overflow or other errors. This bug was discovered by the + LLVM fuzzer. + +33. The illegal pattern /(?(?<E>.*!.*)?)/ was not being diagnosed as missing an + assertion after (?(. The code was failing to check the character after + (?(?< for the ! or = that would indicate a lookbehind assertion. This bug + was discovered by the LLVM fuzzer. + +34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with + a fixed maximum following a group that contains a subroutine reference was + incorrectly compiled and could trigger buffer overflow. This bug was + discovered by the LLVM fuzzer. + +35. A mutual recursion within a lookbehind assertion such as (?<=((?2))((?1))) + caused a stack overflow instead of the diagnosis of a non-fixed length + lookbehind assertion. This bug was discovered by the LLVM fuzzer. + +36. The use of \K in a positive lookbehind assertion in a non-anchored pattern + (e.g. /(?<=\Ka)/) could make pcregrep loop. + +37. There was a similar problem to 36 in pcretest for global matches. + +38. If a greedy quantified \X was preceded by \C in UTF mode (e.g. \C\X*), + and a subsequent item in the pattern caused a non-match, backtracking over + the repeated \X did not stop, but carried on past the start of the subject, + causing reference to random memory and/or a segfault. There were also some + other cases where backtracking after \C could crash. This set of bugs was + discovered by the LLVM fuzzer. + +39. The function for finding the minimum length of a matching string could take + a very long time if mutual recursion was present many times in a pattern, + for example, /((?2){73}(?2))((?1))/. A better mutual recursion detection + method has been implemented. This infelicity was discovered by the LLVM + fuzzer. + +40. Static linking against the PCRE library using the pkg-config module was + failing on missing pthread symbols. + + Version 8.36 26-September-2014 ------------------------------ |