Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8445

With patched pcre getting ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp

        Details

        • Type: Bug
        • Status: Open
        • Priority: Major
        • Resolution: Unresolved
        • Affects Version/s: 10.0.20
        • Fix Version/s: 10.0
        • Component/s: None
        • Labels:

          Description

          regarding to CVE-2014-8964: pcre: heap buffer overflow

          BEFORE UPDATE mariadb v16

          MariaDB [(none)]> select 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
+-----------------------------------------------+
| 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}' |
+-----------------------------------------------+
|                                             1 |
+-----------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
+--------------------------------------------------------+
| REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
+--------------------------------------------------------+
|                                                        |
+--------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
+-------------------------------------------------------+
| REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
+-------------------------------------------------------+
|                                                     1 |
+-------------------------------------------------------+
1 row in set (0.00 sec)

          AFTER UPDATE mariadb v20

          MariaDB [test]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
MariaDB [test]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
MariaDB [test]> SELECT 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp

          This is probably ok, however we would like to be sure.
          Other "normal" regexps are ok as well as regexp from test suite.

          https://bugzilla.suse.com/show_bug.cgi?id=937545

            Gliffy Diagrams

              Attachments

                Activity

                Ascending order - Click to sort in descending order
                Hide
                Permalink
                elenst Elena Stepanova added a comment -

                Perl also throws an error on this pattern, so it seems to be justified:

                $ perl -e '"a" =~ /((?=(?(?=(?(?=(?(?=())))*))))){2}/'
Quantifier follows nothing in regex; marked by <-- HERE in m/((?=(?(?=(?(?=(?(?=())))* <-- HERE ))))){2}/ at -e line 1.

                Here is a shorter example that worked on 10.0.15 but causes an error now. Again, it also fails in perl:

                MariaDB [test]> select @@version;
+-----------------+
| @@version       |
+-----------------+
| 10.0.15-MariaDB |
+-----------------+
1 row in set (0.00 sec)

MariaDB [test]> select 'a' RLIKE '(?(?=())*)';
+------------------------+
| 'a' RLIKE '(?(?=())*)' |
+------------------------+
|                      1 |
+------------------------+
1 row in set (0.00 sec)

                MariaDB [test]> select @@version;
+-----------------------+
| @@version             |
+-----------------------+
| 10.0.20-MariaDB-debug |
+-----------------------+
1 row in set (0.00 sec)

MariaDB [test]> select 'a' RLIKE '(?(?=())*)';
ERROR 1139 (42000): Got error 'nothing to repeat at offset 8' from regexp

                $ perl -e '"a" =~ /(?(?=())*)/'
Quantifier follows nothing in regex; marked by <-- HERE in m/(?(?=())* <-- HERE )/ at -e line 1.

                I'll assign to Alexander Barkov to confirm.

                Show
                elenst Elena Stepanova added a comment - Perl also throws an error on this pattern, so it seems to be justified: $ perl -e '"a" =~ /((?=(?(?=(?(?=(?(?=())))*))))){2}/' Quantifier follows nothing in regex; marked by <-- HERE in m/((?=(?(?=(?(?=(?(?=())))* <-- HERE ))))){2}/ at -e line 1. Here is a shorter example that worked on 10.0.15 but causes an error now. Again, it also fails in perl: MariaDB [test]> select @@version; +-----------------+ | @@version | +-----------------+ | 10.0.15-MariaDB | +-----------------+ 1 row in set (0.00 sec) MariaDB [test]> select 'a' RLIKE '(?(?=())*)'; +------------------------+ | 'a' RLIKE '(?(?=())*)' | +------------------------+ | 1 | +------------------------+ 1 row in set (0.00 sec) MariaDB [test]> select @@version; +-----------------------+ | @@version | +-----------------------+ | 10.0.20-MariaDB-debug | +-----------------------+ 1 row in set (0.00 sec) MariaDB [test]> select 'a' RLIKE '(?(?=())*)'; ERROR 1139 (42000): Got error 'nothing to repeat at offset 8' from regexp $ perl -e '"a" =~ /(?(?=())*)/' Quantifier follows nothing in regex; marked by <-- HERE in m/(?(?=())* <-- HERE )/ at -e line 1. I'll assign to Alexander Barkov to confirm.
                Hide
                Permalink
                nirbhay_c Nirbhay Choubey added a comment -

                Alexander Barkov Is this a bug? If it is, can we target it for the next 10.0 version?

                Show
                nirbhay_c Nirbhay Choubey added a comment - Alexander Barkov Is this a bug? If it is, can we target it for the next 10.0 version?

                  People

                  • Assignee:
                    bar Alexander Barkov
                    Reporter:
                    nirbhay_c Nirbhay Choubey
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated: