Fix #3130: Crash at fuzzing target replacer (#3133)

* Fix #3130: Crash at fuzzing target replacer

* Add additional test case based on fuzzer feedback

2 files changed, 15 insertions, 1 deletions

diff --git a/replacer.go b/replacer.go
index 8823404..d1c58e8 100644
--- a/replacer.go
+++ b/replacer.go
@@ -124,6 +124,8 @@ func (r *Replacer) replace(input, empty string,
 
 	// iterate the input to find each placeholder
 	var lastWriteCursor int
+	
+scan:
 	for i := 0; i < len(input); i++ {
 
 		// check for escaped braces
@@ -145,7 +147,11 @@ func (r *Replacer) replace(input, empty string,
 
 		// if necessary look for the first closing brace that is not escaped
 		for end > 0 && end < len(input)-1 && input[end-1] == phEscape {
-			end = strings.Index(input[end+1:], string(phClose)) + end + 1
+			nextEnd := strings.Index(input[end+1:], string(phClose))
+			if nextEnd < 0 {
+				continue scan
+			}
+			end += nextEnd + 1
 		}
 
 		// write the substring from the last cursor to this point
diff --git a/replacer_test.go b/replacer_test.go
index 66bb537..a48917a 100644
--- a/replacer_test.go
+++ b/replacer_test.go
@@ -156,6 +156,14 @@ func TestReplacer(t *testing.T) {
 			input:  `\{'group':'default','max_age':3600,'endpoints':[\{'url':'https://some.domain.local/a/d/g'\}],'include_subdomains':true\}`,
 			expect: `{'group':'default','max_age':3600,'endpoints':[{'url':'https://some.domain.local/a/d/g'}],'include_subdomains':true}`,
 		},
+		{
+			input:  `{}{}{}{\\\\}\\\\`,
+			expect: `{\\\}\\\\`,
+		},
+		{
+			input:  string([]byte{0x26, 0x00, 0x83, 0x7B, 0x84, 0x07, 0x5C, 0x7D, 0x84}),
+			expect: string([]byte{0x26, 0x00, 0x83, 0x7B, 0x84, 0x07, 0x7D, 0x84}),
+		},
 	} {
 		actual := rep.ReplaceAll(tc.input, tc.empty)
 		if actual != tc.expect {