jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/403332 )
Change subject: JavaScriptMinifier: Fix "Uninitialized offset" in string and regexp parsing ...................................................................... JavaScriptMinifier: Fix "Uninitialized offset" in string and regexp parsing When parsing an incomplete string literal or regex literal at the end of a file, $end would be set to an offset higher than $length, because the code speculatively increases $end without correcting for this scenario. This is due to the assumption that the strcspn() search will end because an end character was seen, instead of simply ending because the string doesn't have any further characters. Bug: T75556 Change-Id: I2325c9aff33293c13ff414699c2d47306182aaa6 --- M includes/libs/JavaScriptMinifier.php M tests/phpunit/includes/libs/JavaScriptMinifierTest.php 2 files changed, 22 insertions(+), 2 deletions(-) Approvals: MaxSem: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/libs/JavaScriptMinifier.php b/includes/libs/JavaScriptMinifier.php index 679da2b..5e7373e 100644 --- a/includes/libs/JavaScriptMinifier.php +++ b/includes/libs/JavaScriptMinifier.php @@ -455,6 +455,12 @@ } while( $end - 2 < $length && $s[$end - 2] === '\\' ); // Correction (1): Undo speculative add, keep only one (end of string literal) $end--; + if ( $end > $length ) { + // Correction (2): Loop wrongly assumed an end quote ended the search, + // but search ended because we've reached the end. Correct $end. + // TODO: This is invalid and should throw. + $end--; + } // We have to distinguish between regexp literals and division operators // A division operator is only possible in certain states } elseif( $ch === '/' && !isset( $divStates[$state] ) ) { @@ -471,8 +477,14 @@ } while( $end - 2 < $length && $s[$end - 2] === '\\' ); // Correction (1): Undo speculative add, keep only one (end of regexp) $end--; - // If the end, stop here. - if( $end - 1 >= $length || $s[$end - 1] === '/' ) { + if ( $end > $length ) { + // Correction (2): Loop wrongly assumed end slash was seen + // String ended without end of regexp. Correct $end. + // TODO: This is invalid and should throw. + $end--; + break; + } + if ( $s[$end - 1] === '/' ) { break; } // (Implicit else), we must've found the start of a char class, diff --git a/tests/phpunit/includes/libs/JavaScriptMinifierTest.php b/tests/phpunit/includes/libs/JavaScriptMinifierTest.php index 5061e27..d6a1040 100644 --- a/tests/phpunit/includes/libs/JavaScriptMinifierTest.php +++ b/tests/phpunit/includes/libs/JavaScriptMinifierTest.php @@ -82,6 +82,14 @@ "var a=this\nfor(b=0;c<d;b++){}" ], + // Cover failure case of incomplete regexp at end of file (T75556) + // FIXME: This is invalid, but currently tolerated + [ "*/", "*/", false ], + + // Cover failure case of incomplete string at end of file (T75556) + // FIXME: This is invalid, but currently tolerated + [ "'a", "'a", false ], + // Token separation [ "x in y", "x in y" ], [ "/x/g in y", "/x/g in y" ], -- To view, visit https://gerrit.wikimedia.org/r/403332 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2325c9aff33293c13ff414699c2d47306182aaa6 Gerrit-PatchSet: 3 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Krinkle <krinklem...@gmail.com> Gerrit-Reviewer: Catrope <r...@wikimedia.org> Gerrit-Reviewer: Krinkle <krinklem...@gmail.com> Gerrit-Reviewer: MaxSem <maxsem.w...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits