While fuzzing a downstream project (static-site-generator), I discovered a reproducible panic in pulldown-cmark v0.13.3. The panic occurs in the Parser's next method due to an unwrap() on a None value.
This issue specifically triggers when both Options::ENABLE_TASKLISTS and Options::ENABLE_STRIKETHROUGH are enabled.
I have isolated the crash into this standalone main.rs:
use pulldown_cmark::{Parser, Options, html};
fn main() {
let markdown_input = "* [ ] ~![=?\\*\x0c\x00\x00 \x0d* [ 1=1\x00\x0d<!]:[=?\\\x0d\x0c\n* [ ] \x0d\x0c% ";
let mut options = Options::empty();
options.insert(Options::ENABLE_TASKLISTS);
options.insert(Options::ENABLE_STRIKETHROUGH);
let parser = Parser::new_ext(markdown_input, options);
let mut html_output = String::new();
html::push_html(&mut html_output, parser);
println!("Success!");
}
Steps to Reproduce
- Initialize a new project:
cargo new test_cmark
cd test_cmark
- Update Cargo.toml with the following dependency:
[dependencies]
pulldown-cmark = "0.13.3"
-
Replace src/main.rs with the PoC code provided above.
-
Run the program with backtrace enabled:
RUST_BACKTRACE=1 cargo run
Output
thread 'main' (185354) panicked at /home/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pulldown-cmark-0.13.3/src/parse.rs:2367:37:
called `Option::unwrap()` on a `None` value
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/66da6cae1a6f12e9585493ab8f8f19cf753091fd/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/66da6cae1a6f12e9585493ab8f8f19cf753091fd/library/core/src/panicking.rs:80:14
2: core::panicking::panic
at /rustc/66da6cae1a6f12e9585493ab8f8f19cf753091fd/library/core/src/panicking.rs:150:5
3: core::option::unwrap_failed
at /rustc/66da6cae1a6f12e9585493ab8f8f19cf753091fd/library/core/src/option.rs:2251:5
4: <core::option::Option<pulldown_cmark::tree::TreeIndex>>::unwrap
at /home/user/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/option.rs:1016:21
5: <pulldown_cmark::parse::Parser as core::iter::traits::iterator::Iterator>::next
at /home/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pulldown-cmark-0.13.3/src/parse.rs:2367:37
6: <pulldown_cmark::html::HtmlWriter<pulldown_cmark::parse::Parser, pulldown_cmark_escape::FmtWriter<&mut alloc::string::String>>>::run
at /home/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pulldown-cmark-0.13.3/src/html.rs:93:43
7: pulldown_cmark::html::write_html_fmt::<pulldown_cmark::parse::Parser, &mut alloc::string::String>
at /home/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pulldown-cmark-0.13.3/src/html.rs:630:46
8: pulldown_cmark::html::push_html::<pulldown_cmark::parse::Parser>
at /home/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pulldown-cmark-0.13.3/src/html.rs:554:5
9: test_cmark::main
at ./src/main.rs:13:5
10: <fn() as core::ops::function::FnOnce<()>>::call_once
at /home/user/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
While fuzzing a downstream project (static-site-generator), I discovered a reproducible panic in pulldown-cmark v0.13.3. The panic occurs in the Parser's next method due to an unwrap() on a None value.
This issue specifically triggers when both
Options::ENABLE_TASKLISTSandOptions::ENABLE_STRIKETHROUGHare enabled.I have isolated the crash into this standalone
main.rs:Steps to Reproduce
Replace
src/main.rswith the PoC code provided above.Run the program with backtrace enabled:
Output