Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/html: panic: runtime error: index out of range #27846

Closed
tr3ee opened this issue Sep 25, 2018 · 6 comments
Closed

x/net/html: panic: runtime error: index out of range #27846

tr3ee opened this issue Sep 25, 2018 · 6 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@tr3ee
Copy link

tr3ee commented Sep 25, 2018
edited

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.10.3 windows/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

set GOARCH=amd64
set GOBIN=
set GOEXE=.exe
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GORACE=
set GOTMPDIR=
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config

NOTE: there are two different issues below

BUG 1

What did you do?

package main

import (
	"strings"

	"golang.org/x/net/html"
)

func main() {
	r := strings.NewReader("<svg><template><desc><t><svg></template>")
	html.Parse(r)
}

What did you expect to see?

No panic exit

What did you see instead?

panic: runtime error: index out of range

goroutine 1 [running]:
golang.org/x/net/html.(*nodeStack).pop(...)
        /path/to/gopath/src/golang.org/x/net/html/node.go:153
golang.org/x/net/html.(*parser).clearActiveFormattingElements(0xc042050410)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:372 +0x4d
golang.org/x/net/html.inHeadIM(0xc042050410, 0x40df23)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:675 +0xff
golang.org/x/net/html.inBodyIM(0xc042050410, 0x2)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:1138 +0x3425
golang.org/x/net/html.parseForeignContent(0xc042050410, 0x1)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2122 +0x80a
golang.org/x/net/html.(*parser).parseCurrentToken(0xc042050410)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2190 +0x6f
golang.org/x/net/html.(*parser).parse(0xc042050410, 0xc0420a2000, 0xc042050340)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2218 +0x62
golang.org/x/net/html.Parse(0x4e14c0, 0xc0420024c0, 0xc0420661e0, 0xc04206ff78, 0xc042048058)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2244 +0xe2
main.main()
        /path/to/gopath/src/main.go:11 +0x7a
exit status 2

BUG 2

What did you do?

package main

import (
	"strings"

	"golang.org/x/net/html"
)

func main() {
	r := strings.NewReader("<math><template><mn><b></template>")
	html.Parse(r)
}

What did you expect to see?

No panic exit

What did you see instead?

panic: runtime error: index out of range

goroutine 1 [running]:
golang.org/x/net/html.(*insertionModeStack).pop(...)
        /path/to/gopath/src/golang.org/x/net/html/node.go:210
golang.org/x/net/html.inHeadIM(0xc042056340, 0x40)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:676 +0x74f
golang.org/x/net/html.inBodyIM(0xc042056340, 0x0)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:1138 +0x3425
golang.org/x/net/html.(*parser).parseCurrentToken(0xc042056340)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2192 +0x8b
golang.org/x/net/html.(*parser).parse(0xc042056340, 0xc0420b6000, 0xc042056270)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2218 +0x62
golang.org/x/net/html.Parse(0x4e14c0, 0xc042054460, 0xc0420701e0, 0xc042079f78, 0xc042048058)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2244 +0xe2
main.main()
        /path/to/gopath/src/main.go:11 +0x7a
exit status 2
@gopherbot gopherbot added this to the Unreleased milestone Sep 25, 2018
@odeke-em
Copy link
Member

Thank you for reporting these bugs @tr3ee! You are on a roll, nice.
/cc @nigeltao @namusyaka @bradfitz

Perhaps this calls for us to fuzz the x/net/html package /cc @dgryski @dvyukov

@dvyukov dvyukov mentioned this issue Sep 25, 2018
Closed
@odeke-em odeke-em mentioned this issue Sep 25, 2018
Open
@tr3ee
Copy link
Author

tr3ee commented Sep 26, 2018

Thank you for reporting these bugs @tr3ee! You are on a roll, nice.
/cc @nigeltao @namusyaka @bradfitz

Perhaps this calls for us to fuzz the x/net/html package /cc @dgryski @dvyukov

I think @dvyukov / go-fuzz (It's quite an awesome project BTW) seems perfect to do that. I'd like to help, but I don't know much about this fuzz thing.
Besides, is there anyone already working on it? is it OK to use go-fuzz inside x/net/html?

@dvyukov
Copy link
Member

dvyukov commented Sep 26, 2018

but I don't know much about this fuzz thing.

What do you want to know?

Besides, is there anyone already working on it?

I am no not.

is it OK to use go-fuzz inside x/net/html?

What exactly do you mean?

@tr3ee
Copy link
Author

tr3ee commented Sep 26, 2018

is it OK to use go-fuzz inside x/net/html?

What exactly do you mean?

I just learned about go-fuzz project and wrote some ugly code tr3ee/net@a59147a

but it works fine for me and already found a crasher.

	"[template]<table></>" +
	"<table><table><_333J" +
	"__Nl1nimuwV_0_t80x_T" +
	"ACB_bic_><table>1_mq" +
	"kW3Y1uzD<table><tabl" +
	"e><__N2_bv__wq_Jqb_4" +
	"x_2i3_pP71A3F_AxqBdv" +
	"L_46_LD_f0_iH_4Jrs_y" +
	"z4L28Kq36Z_E6____ra3" +
	"Tv_><table><table><t" +
	"able><EW><table><tab" +
	"le><table><table>{ta" +
	"ble}<><table><_>{tab" +
	"letableE}<><table><t" +
	"able>[table]<table><" +
	"><><table><table><ta" +
	"ble><table><><tablel" +
	"4cg1_na_5b70h2Qu8Dv_" +
	"Y__T__RY_G>(table)<t" +
	"able><table><table><" +
	"table><table><table>" +
	"<table><<svg><3_><de" +
	"sc><><select>\x00<><><d" +
	"esc><select>\"select\"" +
	"\x00<svg><html><desc><>" +
	"`u3_>\x00<svg><html><D9" +
	"9><select><select>}<" +
	"><html><&><select><>" +
	")<svg>/table<desc><s" +
	"elect><select>\x0f<><1_" +
	"IV_byyC><Kn_DL6Hq0CR" +
	"YBJyOflyuWTozjf__PDU" +
	"H3evJ_n_6tL____kUs9O" +
	"_d2><select><87b_sel" +
	"ect>}<html><CY><sele" +
	"ct><select>)<table><" +
	"table><oOe>\"'<><tabl" +
	"e><table><table>`tab" +
	"le><table><table><><" +
	"table><><table><3q>#" +
	"<table><table>\"table" +
	"\"<><table><table>"

@dvyukov
Copy link
Member

dvyukov commented Sep 26, 2018

Working as expected :)

@gopherbot
Copy link

Change https://golang.org/cl/159397 mentions this issue: html: make (*nodeStack)contains distinguish namespace

@golang golang locked and limited conversation to collaborators Jan 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@dvyukov @odeke-em @gopherbot @tr3ee