jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/403332 )
Change subject: JavaScriptMinifier: Fix "Uninitialized offset" in string and
regexp parsing
......................................................................
JavaScriptMinifier: Fix "Uninitialized offset" in string and regexp parsing
When parsing an incomplete string literal or regex literal at the end of a file,
$end would be set to an offset higher than $length, because the code
speculatively increases $end without correcting for this scenario.
This is due to the assumption that the strcspn() search will end because
an end character was seen, instead of simply ending because the string
doesn't have any further characters.
Bug: T75556
Change-Id: I2325c9aff33293c13ff414699c2d47306182aaa6
---
M includes/libs/JavaScriptMinifier.php
M tests/phpunit/includes/libs/JavaScriptMinifierTest.php
2 files changed, 22 insertions(+), 2 deletions(-)
Approvals:
MaxSem: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/libs/JavaScriptMinifier.php
b/includes/libs/JavaScriptMinifier.php
index 679da2b..5e7373e 100644
--- a/includes/libs/JavaScriptMinifier.php
+++ b/includes/libs/JavaScriptMinifier.php
@@ -455,6 +455,12 @@
} while( $end - 2 < $length && $s[$end - 2] ===
'\\' );
// Correction (1): Undo speculative add, keep
only one (end of string literal)
$end--;
+ if ( $end > $length ) {
+ // Correction (2): Loop wrongly assumed
an end quote ended the search,
+ // but search ended because we've
reached the end. Correct $end.
+ // TODO: This is invalid and should
throw.
+ $end--;
+ }
// We have to distinguish between regexp literals and
division operators
// A division operator is only possible in certain
states
} elseif( $ch === '/' && !isset( $divStates[$state] ) )
{
@@ -471,8 +477,14 @@
} while( $end - 2 < $length && $s[$end
- 2] === '\\' );
// Correction (1): Undo speculative
add, keep only one (end of regexp)
$end--;
- // If the end, stop here.
- if( $end - 1 >= $length || $s[$end - 1]
=== '/' ) {
+ if ( $end > $length ) {
+ // Correction (2): Loop wrongly
assumed end slash was seen
+ // String ended without end of
regexp. Correct $end.
+ // TODO: This is invalid and
should throw.
+ $end--;
+ break;
+ }
+ if ( $s[$end - 1] === '/' ) {
break;
}
// (Implicit else), we must've found
the start of a char class,
diff --git a/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
b/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
index 5061e27..d6a1040 100644
--- a/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
+++ b/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
@@ -82,6 +82,14 @@
"var a=this\nfor(b=0;c<d;b++){}"
],
+ // Cover failure case of incomplete regexp at end of
file (T75556)
+ // FIXME: This is invalid, but currently tolerated
+ [ "*/", "*/", false ],
+
+ // Cover failure case of incomplete string at end of
file (T75556)
+ // FIXME: This is invalid, but currently tolerated
+ [ "'a", "'a", false ],
+
// Token separation
[ "x in y", "x in y" ],
[ "/x/g in y", "/x/g in y" ],
--
To view, visit https://gerrit.wikimedia.org/r/403332
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2325c9aff33293c13ff414699c2d47306182aaa6
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Krinkle <krinklem...@gmail.com>
Gerrit-Reviewer: Catrope <r...@wikimedia.org>
Gerrit-Reviewer: Krinkle <krinklem...@gmail.com>
Gerrit-Reviewer: MaxSem <maxsem.w...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
