Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
-
10.0.20
Description
regarding to CVE-2014-8964: pcre: heap buffer overflow
BEFORE UPDATE mariadb v16
MariaDB [(none)]> select 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
|
+-----------------------------------------------+
|
| 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}' |
|
+-----------------------------------------------+
|
| 1 |
|
+-----------------------------------------------+
|
1 row in set (0.00 sec)
|
|
|
MariaDB [(none)]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
|
+--------------------------------------------------------+
|
| REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
|
+--------------------------------------------------------+
|
| |
|
+--------------------------------------------------------+
|
1 row in set (0.00 sec)
|
|
|
MariaDB [(none)]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
|
+-------------------------------------------------------+
|
| REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
|
+-------------------------------------------------------+
|
| 1 |
|
+-------------------------------------------------------+
|
1 row in set (0.00 sec)
|
AFTER UPDATE mariadb v20
MariaDB [test]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
|
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
|
MariaDB [test]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
|
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
|
MariaDB [test]> SELECT 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
|
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
|
This is probably ok, however we would like to be sure.
Other "normal" regexps are ok as well as regexp from test suite.
Attachments
Activity
bar Is this a bug? If it is, can we target it for the next 10.0 version?
I'd say it's not a bug. MariaDB uses "Perl-compatible regular expressions". If MariaDB issues an error on the same pattern as Perl — it is compatible, all right.
Perl also throws an error on this pattern, so it seems to be justified:
$ perl -e '"a" =~ /((?=(?(?=(?(?=(?(?=())))*))))){2}/'Quantifier follows nothing in regex; marked by <-- HERE in m/((?=(?(?=(?(?=(?(?=())))* <-- HERE ))))){2}/ at -e line 1.Here is a shorter example that worked on 10.0.15 but causes an error now. Again, it also fails in perl:
MariaDB [test]> select @@version;+-----------------+| @@version |+-----------------+| 10.0.15-MariaDB |+-----------------+1 row in set (0.00 sec)MariaDB [test]> select 'a' RLIKE '(?(?=())*)';+------------------------+| 'a' RLIKE '(?(?=())*)' |+------------------------+| 1 |+------------------------+1 row in set (0.00 sec)MariaDB [test]> select @@version;+-----------------------+| @@version |+-----------------------+| 10.0.20-MariaDB-debug |+-----------------------+1 row in set (0.00 sec)MariaDB [test]> select 'a' RLIKE '(?(?=())*)';ERROR 1139 (42000): Got error 'nothing to repeat at offset 8' from regexp$ perl -e '"a" =~ /(?(?=())*)/'Quantifier follows nothing in regex; marked by <-- HERE in m/(?(?=())* <-- HERE )/ at -e line 1.I'll assign to bar to confirm.