|
|
| version 1.7, 2015/10/13 00:25:39 | version 1.8, 2019/12/03 16:37:21 |
|---|---|
| Line 1 | Line 1 |
| ChangeLog for PCRE | ChangeLog for PCRE |
| ------------------ | ------------------ |
| Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All | |
| development is happening in the PCRE2 10.xx series. | |
| Version 8.43 23-February-2019 | |
| ----------------------------- | |
| 1. Some time ago the config macro SUPPORT_UTF8 was changed to SUPPORT_UTF | |
| because it also applies to UTF-16 and UTF-32. However, this change was not made | |
| in the pcre2cpp files; consequently the C++ wrapper has from then been compiled | |
| with a bug in it, which would have been picked up by the unit test except that | |
| it also had its UTF8 code cut out. The bug was in a global replace when moving | |
| forward after matching an empty string. | |
| 2. The C++ wrapper got broken a long time ago (version 7.3, August 2007) when | |
| (*CR) was invented (assuming it was the first such start-of-pattern option). | |
| The wrapper could never handle such patterns because it wraps patterns in | |
| (?:...)\z in order to support end anchoring. I have hacked in some code to fix | |
| this, that is, move the wrapping till after any existing start-of-pattern | |
| special settings. | |
| 3. "pcre2grep" (sic) was accidentally mentioned in an error message (fix was | |
| ported from PCRE2). | |
| 4. Typo LCC_ALL for LC_ALL fixed in pcregrep. | |
| 5. In a pattern such as /[^\x{100}-\x{ffff}]*[\x80-\xff]/ which has a repeated | |
| negative class with no characters less than 0x100 followed by a positive class | |
| with only characters less than 0x100, the first class was incorrectly being | |
| auto-possessified, causing incorrect match failures. | |
| 6. If the only branch in a conditional subpattern was anchored, the whole | |
| subpattern was treated as anchored, when it should not have been, since the | |
| assumed empty second branch cannot be anchored. Demonstrated by test patterns | |
| such as /(?(1)^())b/ or /(?(?=^))b/. | |
| 7. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has | |
| a greater than 1 fixed quantifier. This issue was found by Yunho Kim. | |
| 8. If a pattern started with a subroutine call that had a quantifier with a | |
| minimum of zero, an incorrect "match must start with this character" could be | |
| recorded. Example: /(?&xxx)*ABC(?<xxx>XYZ)/ would (incorrectly) expect 'A' to | |
| be the first character of a match. | |
| 9. Improve MAP_JIT flag usage on MacOS. Patch by Rich Siegel. | |
| Version 8.42 20-March-2018 | |
| -------------------------- | |
| 1. Fixed a MIPS issue in the JIT compiler reported by Joshua Kinard. | |
| 2. Fixed outdated real_pcre definitions in pcre.h.in (patch by Evgeny Kotkov). | |
| 3. pcregrep was truncating components of file names to 128 characters when | |
| processing files with the -r option, and also (some very odd code) truncating | |
| path names to 512 characters. There is now a check on the absolute length of | |
| full path file names, which may be up to 2047 characters long. | |
| 4. Using pcre_dfa_exec(), in UTF mode when UCP support was not defined, there | |
| was the possibility of a false positive match when caselessly matching a "not | |
| this character" item such as [^\x{1234}] (with a code point greater than 127) | |
| because the "other case" variable was not being initialized. | |
| 5. Although pcre_jit_exec checks whether the pattern is compiled | |
| in a given mode, it was also expected that at least one mode is available. | |
| This is fixed and pcre_jit_exec returns with PCRE_ERROR_JIT_BADOPTION | |
| when the pattern is not optimized by JIT at all. | |
| 6. The line number and related variables such as match counts in pcregrep | |
| were all int variables, causing overflow when files with more than 2147483647 | |
| lines were processed (assuming 32-bit ints). They have all been changed to | |
| unsigned long ints. | |
| 7. If a backreference with a minimum repeat count of zero was first in a | |
| pattern, apart from assertions, an incorrect first matching character could be | |
| recorded. For example, for the pattern /(?=(a))\1?b/, "b" was incorrectly set | |
| as the first character of a match. | |
| 8. Fix out-of-bounds read for partial matching of /./ against an empty string | |
| when the newline type is CRLF. | |
| 9. When matching using the the REG_STARTEND feature of the POSIX API with a | |
| non-zero starting offset, unset capturing groups with lower numbers than a | |
| group that did capture something were not being correctly returned as "unset" | |
| (that is, with offset values of -1). | |
| 10. Matching the pattern /(*UTF)\C[^\v]+\x80/ against an 8-bit string | |
| containing multi-code-unit characters caused bad behaviour and possibly a | |
| crash. This issue was fixed for other kinds of repeat in release 8.37 by change | |
| 38, but repeating character classes were overlooked. | |
| 11. A small fix to pcregrep to avoid compiler warnings for -Wformat-overflow=2. | |
| 12. Added --enable-jit=auto support to configure.ac. | |
| 13. Fix misleading error message in configure.ac. | |
| Version 8.41 05-July-2017 | |
| ------------------------- | |
| 1. Fixed typo in CMakeLists.txt (wrong number of arguments for | |
| PCRE_STATIC_RUNTIME (affects MSVC only). | |
| 2. Issue 1 for 8.40 below was not correctly fixed. If pcregrep in multiline | |
| mode with --only-matching matched several lines, it restarted scanning at the | |
| next line instead of moving on to the end of the matched string, which can be | |
| several lines after the start. | |
| 3. Fix a missing else in the JIT compiler reported by 'idaifish'. | |
| 4. A (?# style comment is now ignored between a basic quantifier and a | |
| following '+' or '?' (example: /X+(?#comment)?Y/. | |
| 5. Avoid use of a potentially overflowing buffer in pcregrep (patch by Petr | |
| Pisar). | |
| 6. Fuzzers have reported issues in pcretest. These are NOT serious (it is, | |
| after all, just a test program). However, to stop the reports, some easy ones | |
| are fixed: | |
| (a) Check for values < 256 when calling isprint() in pcretest. | |
| (b) Give an error for too big a number after \O. | |
| 7. In the 32-bit library in non-UTF mode, an attempt to find a Unicode | |
| property for a character with a code point greater than 0x10ffff (the Unicode | |
| maximum) caused a crash. | |
| 8. The alternative matching function, pcre_dfa_exec() misbehaved if it | |
| encountered a character class with a possessive repeat, for example [a-f]{3}+. | |
| 9. When pcretest called pcre_copy_substring() in 32-bit mode, it set the buffer | |
| length incorrectly, which could result in buffer overflow. | |
| 10. Remove redundant line of code (accidentally left in ages ago). | |
| 11. Applied C++ patch from Irfan Adilovic to guard 'using std::' directives | |
| with namespace pcrecpp (Bugzilla #2084). | |
| 12. Remove a duplication typo in pcre_tables.c. | |
| 13. Fix returned offsets from regexec() when REG_STARTEND is used with a | |
| starting offset greater than zero. | |
| Version 8.40 11-January-2017 | |
| ---------------------------- | |
| 1. Using -o with -M in pcregrep could cause unnecessary repeated output when | |
| the match extended over a line boundary. | |
| 2. Applied Chris Wilson's second patch (Bugzilla #1681) to CMakeLists.txt for | |
| MSVC static compilation, putting the first patch under a new option. | |
| 3. Fix register overwite in JIT when SSE2 acceleration is enabled. | |
| 4. Ignore "show all captures" (/=) for DFA matching. | |
| 5. Fix JIT unaligned accesses on x86. Patch by Marc Mutz. | |
| 6. In any wide-character mode (8-bit UTF or any 16-bit or 32-bit mode), | |
| without PCRE_UCP set, a negative character type such as \D in a positive | |
| class should cause all characters greater than 255 to match, whatever else | |
| is in the class. There was a bug that caused this not to happen if a | |
| Unicode property item was added to such a class, for example [\D\P{Nd}] or | |
| [\W\pL]. | |
| 7. When pcretest was outputing information from a callout, the caret indicator | |
| for the current position in the subject line was incorrect if it was after | |
| an escape sequence for a character whose code point was greater than | |
| \x{ff}. | |
| 8. A pattern such as (?<RA>abc)(?(R)xyz) was incorrectly compiled such that | |
| the conditional was interpreted as a reference to capturing group 1 instead | |
| of a test for recursion. Any group whose name began with R was | |
| misinterpreted in this way. (The reference interpretation should only | |
| happen if the group's name is precisely "R".) | |
| 9. A number of bugs have been mended relating to match start-up optimizations | |
| when the first thing in a pattern is a positive lookahead. These all | |
| applied only when PCRE_NO_START_OPTIMIZE was *not* set: | |
| (a) A pattern such as (?=.*X)X$ was incorrectly optimized as if it needed | |
| both an initial 'X' and a following 'X'. | |
| (b) Some patterns starting with an assertion that started with .* were | |
| incorrectly optimized as having to match at the start of the subject or | |
| after a newline. There are cases where this is not true, for example, | |
| (?=.*[A-Z])(?=.{8,16})(?!.*[\s]) matches after the start in lines that | |
| start with spaces. Starting .* in an assertion is no longer taken as an | |
| indication of matching at the start (or after a newline). | |
| Version 8.39 14-June-2016 | |
| ------------------------- | |
| 1. If PCRE_AUTO_CALLOUT was set on a pattern that had a (?# comment between | |
| an item and its qualifier (for example, A(?#comment)?B) pcre_compile() | |
| misbehaved. This bug was found by the LLVM fuzzer. | |
| 2. Similar to the above, if an isolated \E was present between an item and its | |
| qualifier when PCRE_AUTO_CALLOUT was set, pcre_compile() misbehaved. This | |
| bug was found by the LLVM fuzzer. | |
| 3. Further to 8.38/46, negated classes such as [^[:^ascii:]\d] were also not | |
| working correctly in UCP mode. | |
| 4. The POSIX wrapper function regexec() crashed if the option REG_STARTEND | |
| was set when the pmatch argument was NULL. It now returns REG_INVARG. | |
| 5. Allow for up to 32-bit numbers in the ordin() function in pcregrep. | |
| 6. An empty \Q\E sequence between an item and its qualifier caused | |
| pcre_compile() to misbehave when auto callouts were enabled. This bug was | |
| found by the LLVM fuzzer. | |
| 7. If a pattern that was compiled with PCRE_EXTENDED started with white | |
| space or a #-type comment that was followed by (?-x), which turns off | |
| PCRE_EXTENDED, and there was no subsequent (?x) to turn it on again, | |
| pcre_compile() assumed that (?-x) applied to the whole pattern and | |
| consequently mis-compiled it. This bug was found by the LLVM fuzzer. | |
| 8. A call of pcre_copy_named_substring() for a named substring whose number | |
| was greater than the space in the ovector could cause a crash. | |
| 9. Yet another buffer overflow bug involved duplicate named groups with a | |
| group that reset capture numbers (compare 8.38/7 below). Once again, I have | |
| just allowed for more memory, even if not needed. (A proper fix is | |
| implemented in PCRE2, but it involves a lot of refactoring.) | |
| 10. pcre_get_substring_list() crashed if the use of \K in a match caused the | |
| start of the match to be earlier than the end. | |
| 11. Migrating appropriate PCRE2 JIT improvements to PCRE. | |
| 12. A pattern such as /(?<=((?C)0))/, which has a callout inside a lookbehind | |
| assertion, caused pcretest to generate incorrect output, and also to read | |
| uninitialized memory (detected by ASAN or valgrind). | |
| 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply | |
| nested set of parentheses of sufficient size caused an overflow of the | |
| compiling workspace (which was diagnosed, but of course is not desirable). | |
| 14. And yet another buffer overflow bug involving duplicate named groups, this | |
| time nested, with a nested back reference. Yet again, I have just allowed | |
| for more memory, because anything more needs all the refactoring that has | |
| been done for PCRE2. An example pattern that provoked this bug is: | |
| /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was | |
| registered as CVE-2016-1283. | |
| 15. pcretest went into a loop if global matching was requested with an ovector | |
| size less than 2. It now gives an error message. This bug was found by | |
| afl-fuzz. | |
| 16. An invalid pattern fragment such as (?(?C)0 was not diagnosing an error | |
| ("assertion expected") when (?(?C) was not followed by an opening | |
| parenthesis. | |
| 17. Fixed typo ("&&" for "&") in pcre_study(). Fortunately, this could not | |
| actually affect anything, by sheer luck. | |
| 18. Applied Chris Wilson's patch (Bugzilla #1681) to CMakeLists.txt for MSVC | |
| static compilation. | |
| 19. Modified the RunTest script to incorporate a valgrind suppressions file so | |
| that certain errors, provoked by the SSE2 instruction set when JIT is used, | |
| are ignored. | |
| 20. A racing condition is fixed in JIT reported by Mozilla. | |
| 21. Minor code refactor to avoid "array subscript is below array bounds" | |
| compiler warning. | |
| 22. Minor code refactor to avoid "left shift of negative number" warning. | |
| 23. Fix typo causing compile error when 16- or 32-bit JIT is compiled without | |
| UCP support. | |
| 24. Refactor to avoid compiler warnings in pcrecpp.cc. | |
| 25. Refactor to fix a typo in pcre_jit_test.c | |
| 26. Patch to support compiling pcrecpp.cc with Intel compiler. | |
| Version 8.38 23-November-2015 | |
| ----------------------------- | |
| 1. If a group that contained a recursive back reference also contained a | |
| forward reference subroutine call followed by a non-forward-reference | |
| subroutine call, for example /.((?2)(?R)\1)()/, pcre_compile() failed to | |
| compile correct code, leading to undefined behaviour or an internally | |
| detected error. This bug was discovered by the LLVM fuzzer. | |
| 2. Quantification of certain items (e.g. atomic back references) could cause | |
| incorrect code to be compiled when recursive forward references were | |
| involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/. | |
| This bug was discovered by the LLVM fuzzer. | |
| 3. A repeated conditional group whose condition was a reference by name caused | |
| a buffer overflow if there was more than one group with the given name. | |
| This bug was discovered by the LLVM fuzzer. | |
| 4. A recursive back reference by name within a group that had the same name as | |
| another group caused a buffer overflow. For example: | |
| /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer. | |
| 5. A forward reference by name to a group whose number is the same as the | |
| current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused | |
| a buffer overflow at compile time. This bug was discovered by the LLVM | |
| fuzzer. | |
| 6. A lookbehind assertion within a set of mutually recursive subpatterns could | |
| provoke a buffer overflow. This bug was discovered by the LLVM fuzzer. | |
| 7. Another buffer overflow bug involved duplicate named groups with a | |
| reference between their definition, with a group that reset capture | |
| numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been | |
| fixed by always allowing for more memory, even if not needed. (A proper fix | |
| is implemented in PCRE2, but it involves more refactoring.) | |
| 8. There was no check for integer overflow in subroutine calls such as (?123). | |
| 9. The table entry for \l in EBCDIC environments was incorrect, leading to its | |
| being treated as a literal 'l' instead of causing an error. | |
| 10. There was a buffer overflow if pcre_exec() was called with an ovector of | |
| size 1. This bug was found by american fuzzy lop. | |
| 11. If a non-capturing group containing a conditional group that could match | |
| an empty string was repeated, it was not identified as matching an empty | |
| string itself. For example: /^(?:(?(1)x|)+)+$()/. | |
| 12. In an EBCDIC environment, pcretest was mishandling the escape sequences | |
| \a and \e in test subject lines. | |
| 13. In an EBCDIC environment, \a in a pattern was converted to the ASCII | |
| instead of the EBCDIC value. | |
| 14. The handling of \c in an EBCDIC environment has been revised so that it is | |
| now compatible with the specification in Perl's perlebcdic page. | |
| 15. The EBCDIC character 0x41 is a non-breaking space, equivalent to 0xa0 in | |
| ASCII/Unicode. This has now been added to the list of characters that are | |
| recognized as white space in EBCDIC. | |
| 16. When PCRE was compiled without UCP support, the use of \p and \P gave an | |
| error (correctly) when used outside a class, but did not give an error | |
| within a class. | |
| 17. \h within a class was incorrectly compiled in EBCDIC environments. | |
| 18. A pattern with an unmatched closing parenthesis that contained a backward | |
| assertion which itself contained a forward reference caused buffer | |
| overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/. | |
| 19. JIT should return with error when the compiled pattern requires more stack | |
| space than the maximum. | |
| 20. A possessively repeated conditional group that could match an empty string, | |
| for example, /(?(R))*+/, was incorrectly compiled. | |
| 21. Fix infinite recursion in the JIT compiler when certain patterns such as | |
| /(?:|a|){100}x/ are analysed. | |
| 22. Some patterns with character classes involving [: and \\ were incorrectly | |
| compiled and could cause reading from uninitialized memory or an incorrect | |
| error diagnosis. | |
| 23. Pathological patterns containing many nested occurrences of [: caused | |
| pcre_compile() to run for a very long time. | |
| 24. A conditional group with only one branch has an implicit empty alternative | |
| branch and must therefore be treated as potentially matching an empty | |
| string. | |
| 25. If (?R was followed by - or + incorrect behaviour happened instead of a | |
| diagnostic. | |
| 26. Arrange to give up on finding the minimum matching length for overly | |
| complex patterns. | |
| 27. Similar to (4) above: in a pattern with duplicated named groups and an | |
| occurrence of (?| it is possible for an apparently non-recursive back | |
| reference to become recursive if a later named group with the relevant | |
| number is encountered. This could lead to a buffer overflow. Wen Guanxing | |
| from Venustech ADLAB discovered this bug. | |
| 28. If pcregrep was given the -q option with -c or -l, or when handling a | |
| binary file, it incorrectly wrote output to stdout. | |
| 29. The JIT compiler did not restore the control verb head in case of *THEN | |
| control verbs. This issue was found by Karl Skomski with a custom LLVM | |
| fuzzer. | |
| 30. Error messages for syntax errors following \g and \k were giving inaccurate | |
| offsets in the pattern. | |
| 31. Added a check for integer overflow in conditions (?(<digits>) and | |
| (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM | |
| fuzzer. | |
| 32. Handling recursive references such as (?2) when the reference is to a group | |
| later in the pattern uses code that is very hacked about and error-prone. | |
| It has been re-written for PCRE2. Here in PCRE1, a check has been added to | |
| give an internal error if it is obvious that compiling has gone wrong. | |
| 33. The JIT compiler should not check repeats after a {0,1} repeat byte code. | |
| This issue was found by Karl Skomski with a custom LLVM fuzzer. | |
| 34. The JIT compiler should restore the control chain for empty possessive | |
| repeats. This issue was found by Karl Skomski with a custom LLVM fuzzer. | |
| 35. Match limit check added to JIT recursion. This issue was found by Karl | |
| Skomski with a custom LLVM fuzzer. | |
| 36. Yet another case similar to 27 above has been circumvented by an | |
| unconditional allocation of extra memory. This issue is fixed "properly" in | |
| PCRE2 by refactoring the way references are handled. Wen Guanxing | |
| from Venustech ADLAB discovered this bug. | |
| 37. Fix two assertion fails in JIT. These issues were found by Karl Skomski | |
| with a custom LLVM fuzzer. | |
| 38. Fixed a corner case of range optimization in JIT. | |
| 39. An incorrect error "overran compiling workspace" was given if there were | |
| exactly enough group forward references such that the last one extended | |
| into the workspace safety margin. The next one would have expanded the | |
| workspace. The test for overflow was not including the safety margin. | |
| 40. A match limit issue is fixed in JIT which was found by Karl Skomski | |
| with a custom LLVM fuzzer. | |
| 41. Remove the use of /dev/null in testdata/testinput2, because it doesn't | |
| work under Windows. (Why has it taken so long for anyone to notice?) | |
| 42. In a character class such as [\W\p{Any}] where both a negative-type escape | |
| ("not a word character") and a property escape were present, the property | |
| escape was being ignored. | |
| 43. Fix crash caused by very long (*MARK) or (*THEN) names. | |
| 44. A sequence such as [[:punct:]b] that is, a POSIX character class followed | |
| by a single ASCII character in a class item, was incorrectly compiled in | |
| UCP mode. The POSIX class got lost, but only if the single character | |
| followed it. | |
| 45. [:punct:] in UCP mode was matching some characters in the range 128-255 | |
| that should not have been matched. | |
| 46. If [:^ascii:] or [:^xdigit:] or [:^cntrl:] are present in a non-negated | |
| class, all characters with code points greater than 255 are in the class. | |
| When a Unicode property was also in the class (if PCRE_UCP is set, escapes | |
| such as \w are turned into Unicode properties), wide characters were not | |
| correctly handled, and could fail to match. | |
| Version 8.37 28-April-2015 | Version 8.37 28-April-2015 |
| -------------------------- | -------------------------- |