@@ -4,12 +4,104 @@ ChangeLog for PCRE
44Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
55development is happening in the PCRE2 10.xx series.
66
7+ Version 8.39 14-June-2016
8+ -------------------------
9+
10+ 1. If PCRE_AUTO_CALLOUT was set on a pattern that had a (?# comment between
11+ an item and its qualifier (for example, A(?#comment)?B) pcre_compile()
12+ misbehaved. This bug was found by the LLVM fuzzer.
13+
14+ 2. Similar to the above, if an isolated \E was present between an item and its
15+ qualifier when PCRE_AUTO_CALLOUT was set, pcre_compile() misbehaved. This
16+ bug was found by the LLVM fuzzer.
17+
18+ 3. Further to 8.38/46, negated classes such as [^[:^ascii:]\d] were also not
19+ working correctly in UCP mode.
20+
21+ 4. The POSIX wrapper function regexec() crashed if the option REG_STARTEND
22+ was set when the pmatch argument was NULL. It now returns REG_INVARG.
23+
24+ 5. Allow for up to 32-bit numbers in the ordin() function in pcregrep.
25+
26+ 6. An empty \Q\E sequence between an item and its qualifier caused
27+ pcre_compile() to misbehave when auto callouts were enabled. This bug was
28+ found by the LLVM fuzzer.
29+
30+ 7. If a pattern that was compiled with PCRE_EXTENDED started with white
31+ space or a #-type comment that was followed by (?-x), which turns off
32+ PCRE_EXTENDED, and there was no subsequent (?x) to turn it on again,
33+ pcre_compile() assumed that (?-x) applied to the whole pattern and
34+ consequently mis-compiled it. This bug was found by the LLVM fuzzer.
35+
36+ 8. A call of pcre_copy_named_substring() for a named substring whose number
37+ was greater than the space in the ovector could cause a crash.
38+
39+ 9. Yet another buffer overflow bug involved duplicate named groups with a
40+ group that reset capture numbers (compare 8.38/7 below). Once again, I have
41+ just allowed for more memory, even if not needed. (A proper fix is
42+ implemented in PCRE2, but it involves a lot of refactoring.)
43+
44+ 10. pcre_get_substring_list() crashed if the use of \K in a match caused the
45+ start of the match to be earlier than the end.
46+
47+ 11. Migrating appropriate PCRE2 JIT improvements to PCRE.
48+
49+ 12. A pattern such as /(?<=((?C)0))/, which has a callout inside a lookbehind
50+ assertion, caused pcretest to generate incorrect output, and also to read
51+ uninitialized memory (detected by ASAN or valgrind).
52+
53+ 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply
54+ nested set of parentheses of sufficient size caused an overflow of the
55+ compiling workspace (which was diagnosed, but of course is not desirable).
56+
57+ 14. And yet another buffer overflow bug involving duplicate named groups, this
58+ time nested, with a nested back reference. Yet again, I have just allowed
59+ for more memory, because anything more needs all the refactoring that has
60+ been done for PCRE2. An example pattern that provoked this bug is:
61+ /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was
62+ registered as CVE-2016-1283.
63+
64+ 15. pcretest went into a loop if global matching was requested with an ovector
65+ size less than 2. It now gives an error message. This bug was found by
66+ afl-fuzz.
67+
68+ 16. An invalid pattern fragment such as (?(?C)0 was not diagnosing an error
69+ ("assertion expected") when (?(?C) was not followed by an opening
70+ parenthesis.
71+
72+ 17. Fixed typo ("&&" for "&") in pcre_study(). Fortunately, this could not
73+ actually affect anything, by sheer luck.
74+
75+ 18. Applied Chris Wilson's patch (Bugzilla #1681) to CMakeLists.txt for MSVC
76+ static compilation.
77+
78+ 19. Modified the RunTest script to incorporate a valgrind suppressions file so
79+ that certain errors, provoked by the SSE2 instruction set when JIT is used,
80+ are ignored.
81+
82+ 20. A racing condition is fixed in JIT reported by Mozilla.
83+
84+ 21. Minor code refactor to avoid "array subscript is below array bounds"
85+ compiler warning.
86+
87+ 22. Minor code refactor to avoid "left shift of negative number" warning.
88+
89+ 23. Fix typo causing compile error when 16- or 32-bit JIT is compiled without
90+ UCP support.
91+
92+ 24. Refactor to avoid compiler warnings in pcrecpp.cc.
93+
94+ 25. Refactor to fix a typo in pcre_jit_test.c
95+
96+ 26. Patch to support compiling pcrecpp.cc with Intel compiler.
97+
98+
799Version 8.38 23-November-2015
8100-----------------------------
9101
101021. If a group that contained a recursive back reference also contained a
11103 forward reference subroutine call followed by a non-forward-reference
12- subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile () failed to
104+ subroutine call, for example /.((?2)(?R)\1)()/, pcre_compile () failed to
13105 compile correct code, leading to undefined behaviour or an internally
14106 detected error. This bug was discovered by the LLVM fuzzer.
15107
0 commit comments