rdoc
rdoc copied to clipboard
ruby
RDoc::Markdown.parse crashes with invalid note reference
Hi, I've been testing rdoc with a Ruby fuzzing tool (kisaten) and found a few bugs. So far I only caught bugs in markdown.rb, this is the first one. I am testing against the master branch but the bugs should be reproducible in older releases. In my code I used the the following lines:
formatter = RDoc::Markup::ToHtml.new(RDoc::Options.new, nil)
html = RDoc::Markdown.parse(data).accept(formatter)
Raw crash
/shared/rdoc/lib/rdoc/markdown.rb:739:in `note_for': undefined method `<<' for nil:NilClass (NoMethodError)
from /shared/rdoc/lib/rdoc/markdown.rb:15154:in `_NoteReference'
from /shared/rdoc/lib/rdoc/markdown.rb:481:in `apply'
from /shared/rdoc/lib/rdoc/markdown.rb:9518:in `_Inline'
from /shared/rdoc/lib/rdoc/markdown.rb:481:in `apply'
from /shared/rdoc/lib/rdoc/markdown.rb:11888:in `_Label'
from /shared/rdoc/lib/rdoc/markdown.rb:481:in `apply'
from /shared/rdoc/lib/rdoc/markdown.rb:11750:in `_Reference'
from /shared/rdoc/lib/rdoc/markdown.rb:481:in `apply'
from /shared/rdoc/lib/rdoc/markdown.rb:12275:in `_References'
from /shared/rdoc/lib/rdoc/markdown.rb:481:in `apply'
from /shared/rdoc/lib/rdoc/markdown.rb:388:in `parse'
from /shared/rdoc/lib/rdoc/markdown.rb:777:in `parse'
from /shared/rdoc/lib/rdoc/markdown.rb:621:in `parse'
from tst.rb:10:in `<main>'
Example input
I tried to minimize the crashing fuzzer file to the minimum needed to reproduce the bug. If needed, I'll upload the original files as well. It should crash with the following in data:
[[^0]
Explanation
It seems that note_ref is getting called with nil as a parameter from the _NoteReference method. It doesn't expect nil and and tries to call #<< on it resulting in an unhandled NoMethodError.
