fix(lockfile): prevent infinite loop

Fix bug where yarn could get into an infinite loop when parsing a corrupted lockfile with an unterminated string.
yarnpkg · Oct 11, 2018 · b7cd239 · b7cd239
1 parent 800b266
commit b7cd239
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 ## Master
 
+- Prevent infinite loop when parsing corrupted lockfile with unterminated string
+
+  [#4965](https://github.com/yarnpkg/yarn/pull/4965) - [**Ryan Hendrickson**](https://github.com/rhendric)
+
 - Environment variables now have to **start** with `YARN_` (instead of just contain it) to be considered
 
   [#6518](https://github.com/yarnpkg/yarn/pull/6518) - [**Michael Gmelin**](https://blog.grem.de)

diff --git a/src/lockfile/parse.js b/src/lockfile/parse.js
@@ -94,7 +94,7 @@ function* tokenise(input: string): Iterator<Token> {
       }
     } else if (input[0] === '"') {
       let i = 1;
-      for (; ; i++) {
+      for (; i < input.length; i++) {
         if (input[i] === '"') {
           const isEscaped = input[i - 1] === '\\' && input[i - 2] !== '\\';
           if (!isEscaped) {