[MDEV-8445] With patched pcre getting ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp Created: 2015-07-10  Updated: 2017-05-16  Resolved: 2017-05-16

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: 10.0.20
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Nirbhay Choubey (Inactive) Assignee: Alexander Barkov
Resolution: Won't Fix Votes: 0
Labels: SUSE


 Description   

regarding to CVE-2014-8964: pcre: heap buffer overflow

BEFORE UPDATE mariadb v16

MariaDB [(none)]> select 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
 
+-----------------------------------------------+
 
| 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}' |
 
+-----------------------------------------------+
 
|                                             1 |
 
+-----------------------------------------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
 
+--------------------------------------------------------+
 
| REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
 
+--------------------------------------------------------+
 
|                                                        |
 
+--------------------------------------------------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
 
+-------------------------------------------------------+
 
| REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
 
+-------------------------------------------------------+
 
|                                                     1 |
 
+-------------------------------------------------------+
 
1 row in set (0.00 sec)

AFTER UPDATE mariadb v20

MariaDB [test]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
 
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
 
MariaDB [test]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
 
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
 
MariaDB [test]> SELECT 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
 
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp

This is probably ok, however we would like to be sure.
Other "normal" regexps are ok as well as regexp from test suite.

https://bugzilla.suse.com/show_bug.cgi?id=937545

 Comments   
Comment by Elena Stepanova [ 2015-07-12 ]

Perl also throws an error on this pattern, so it seems to be justified:

$ perl -e '"a" =~ /((?=(?(?=(?(?=(?(?=())))*))))){2}/'
 
Quantifier follows nothing in regex; marked by <-- HERE in m/((?=(?(?=(?(?=(?(?=())))* <-- HERE ))))){2}/ at -e line 1.

Here is a shorter example that worked on 10.0.15 but causes an error now. Again, it also fails in perl:

MariaDB [test]> select @@version;
 
+-----------------+
 
| @@version       |
 
+-----------------+
 
| 10.0.15-MariaDB |
 
+-----------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [test]> select 'a' RLIKE '(?(?=())*)';
 
+------------------------+
 
| 'a' RLIKE '(?(?=())*)' |
 
+------------------------+
 
|                      1 |
 
+------------------------+
 
1 row in set (0.00 sec)
 

MariaDB [test]> select @@version;
 
+-----------------------+
 
| @@version             |
 
+-----------------------+
 
| 10.0.20-MariaDB-debug |
 
+-----------------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [test]> select 'a' RLIKE '(?(?=())*)';
 
ERROR 1139 (42000): Got error 'nothing to repeat at offset 8' from regexp
 

$ perl -e '"a" =~ /(?(?=())*)/'
 
Quantifier follows nothing in regex; marked by <-- HERE in m/(?(?=())* <-- HERE )/ at -e line 1.

I'll assign to bar to confirm.

Comment by Nirbhay Choubey (Inactive) [ 2015-09-08 ]

bar Is this a bug? If it is, can we target it for the next 10.0 version?

Comment by Sergei Golubchik [ 2017-05-16 ]

I'd say it's not a bug. MariaDB uses "Perl-compatible regular expressions". If MariaDB issues an error on the same pattern as Perl — it is compatible, all right.

Generated at Thu Feb 08 07:27:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.