x/net/html: panic: runtime error: invalid memory address or nil pointer dereference

[tr3ee]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.10.3 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GORACE=""
GOTMPDIR=""
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

package main

import (
	"strings"

	"golang.org/x/net/html"
)

func main() {
	r := strings.NewReader("<template><tBody><isindex/action=0>")
	html.Parse(r)
}

What did you expect to see?

No panic exit.

What did you see instead?

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x47fd29]

goroutine 1 [running]:
golang.org/x/net/html.inBodyIM(0xc420118410, 0x4caa68)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:988 +0x1d49
golang.org/x/net/html.inTableIM(0xc420118410, 0xc42014a000)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:1433 +0x20e
golang.org/x/net/html.inTableBodyIM(0xc420118410, 0x0)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:1590 +0x145
golang.org/x/net/html.(*parser).parseCurrentToken(0xc420118410)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2180 +0x84
golang.org/x/net/html.(*parser).parse(0xc420118410, 0xc42014c000, 0xc420118340)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2206 +0x5b
golang.org/x/net/html.Parse(0x4d5b00, 0xc42000a0e0, 0xc420110150, 0xc4200dff78, 0xc42001a118)
        /path/to/gopath/src/golang.org/x/net/html/parse.go:2232 +0xdb
main.main()
        /path/to/gopath/src/html/main.go:11 +0x73
exit status 2

[odeke-em]

Hello @tr3ee, thank you for reporting this issue and welcome to Go!

I noticed that you already filed #27702 with a somewhat similar repro but different crash stacktrace. I believe the common issue in both of them is incomplete tags?
If the issue is the same, would you mind closing this one? A consolidated issue is easier to track but also please provide the content of this bug as a reproducer for that issue. If not, please ignore my comments..

In the meantime, I'll page @nigeltao @namusyaka

[tr3ee]

Hello @odeke-em , thank you for your reply.

It's ok if you close this, and I will re-edit the content of issue #27702 .

[tr3ee]

CVE-2018-17143 has been assigned to this.

[tr3ee]

Hello @odeke-em ,
After discussing with the CVE Assignment Team members, I think it's best to reopen this issue, because of CNA rules counting_decisions

[namusyaka]

@tr3ee Thank you for your report!

This isn't same with #27702 so I will fix these issues separately.

[gopherbot]

Change https://golang.org/cl/136575 mentions this issue: html: avoid panic even if unconsidered <isindex> and <template> combination