From: Timo Tijhof <krinklemail@gmail.com>
Date: Wed, 31 Jan 2018 03:55:15 +0000 (-0800)
Subject: JavaScriptMinifier: Fix "Uninitialized offset" in regexp char class parsing
X-Git-Tag: 1.31.0-rc.0~713^2
X-Git-Url: http://git.cyclocoop.org/%22%2C%20generer_url_ecrire%28?a=commitdiff_plain;h=3316a00c260dfdb7ca460dcb156dd45a8d7fc53d;p=lhc%2Fweb%2Fwiklou.git

JavaScriptMinifier: Fix "Uninitialized offset" in regexp char class parsing

Bug: T75556
Change-Id: I0bb63212dd44aec3c6b40477553dbf6a471bc7b3
---

diff --git a/includes/libs/JavaScriptMinifier.php b/includes/libs/JavaScriptMinifier.php
index a1a93d2b46..5ecfc7cc9b 100644
--- a/includes/libs/JavaScriptMinifier.php
+++ b/includes/libs/JavaScriptMinifier.php
@@ -498,6 +498,13 @@ class JavaScriptMinifier {
 					} while ( $end - 2 < $length && $s[$end - 2] === '\\' );
 					// Correction (1): Undo speculative add, keep only one (end of regexp)
 					$end--;
+					if ( $end > $length ) {
+						// Correction (2): Loop wrongly assumed "]" was seen
+						// String ended without ending char class or regexp. Correct $end.
+						// TODO: This is invalid and should throw.
+						$end--;
+						break;
+					}
 				}
 				// Search past the regexp modifiers (gi)
 				while ( $end < $length && ctype_alpha( $s[$end] ) ) {
diff --git a/tests/phpunit/includes/libs/JavaScriptMinifierTest.php b/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
index d6a104002b..6734976b4a 100644
--- a/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
+++ b/tests/phpunit/includes/libs/JavaScriptMinifierTest.php
@@ -86,6 +86,10 @@ class JavaScriptMinifierTest extends PHPUnit_Framework_TestCase {
 			// FIXME: This is invalid, but currently tolerated
 			[ "*/", "*/", false ],
 
+			// Cover failure case of incomplete char class in regexp (T75556)
+			// FIXME: This is invalid, but currently tolerated
+			[ "/a[b/.test", "/a[b/.test", false ],
+
 			// Cover failure case of incomplete string at end of file (T75556)
 			// FIXME: This is invalid, but currently tolerated
 			[ "'a", "'a", false ],