From cfe85a9fe625fea55dc4f809fd91b5c061064508 Mon Sep 17 00:00:00 2001 From: Bill Glover Date: Wed, 11 Mar 2020 22:12:00 +0000 Subject: Fix #3130: Crash at fuzzing target replacer (#3133) * Fix #3130: Crash at fuzzing target replacer * Add additional test case based on fuzzer feedback --- replacer.go | 8 +++++++- replacer_test.go | 8 ++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/replacer.go b/replacer.go index 8823404..d1c58e8 100644 --- a/replacer.go +++ b/replacer.go @@ -124,6 +124,8 @@ func (r *Replacer) replace(input, empty string, // iterate the input to find each placeholder var lastWriteCursor int + +scan: for i := 0; i < len(input); i++ { // check for escaped braces @@ -145,7 +147,11 @@ func (r *Replacer) replace(input, empty string, // if necessary look for the first closing brace that is not escaped for end > 0 && end < len(input)-1 && input[end-1] == phEscape { - end = strings.Index(input[end+1:], string(phClose)) + end + 1 + nextEnd := strings.Index(input[end+1:], string(phClose)) + if nextEnd < 0 { + continue scan + } + end += nextEnd + 1 } // write the substring from the last cursor to this point diff --git a/replacer_test.go b/replacer_test.go index 66bb537..a48917a 100644 --- a/replacer_test.go +++ b/replacer_test.go @@ -156,6 +156,14 @@ func TestReplacer(t *testing.T) { input: `\{'group':'default','max_age':3600,'endpoints':[\{'url':'https://some.domain.local/a/d/g'\}],'include_subdomains':true\}`, expect: `{'group':'default','max_age':3600,'endpoints':[{'url':'https://some.domain.local/a/d/g'}],'include_subdomains':true}`, }, + { + input: `{}{}{}{\\\\}\\\\`, + expect: `{\\\}\\\\`, + }, + { + input: string([]byte{0x26, 0x00, 0x83, 0x7B, 0x84, 0x07, 0x5C, 0x7D, 0x84}), + expect: string([]byte{0x26, 0x00, 0x83, 0x7B, 0x84, 0x07, 0x7D, 0x84}), + }, } { actual := rep.ReplaceAll(tc.input, tc.empty) if actual != tc.expect { -- cgit v1.2.3