shortcodeparser: fix panic on slash following opening shortcode comment

Fixes #1093

4 files changed, 38 insertions, 5 deletions

diff --git a/hugolib/page.go b/hugolib/page.go
index 6dfd3eea8..e53781b64 100644
--- a/hugolib/page.go
+++ b/hugolib/page.go
@@ -752,7 +752,7 @@ func (p *Page) ProcessShortcodes(t tpl.Template) {
 
 	// these short codes aren't used until after Page render,
 	// but processed here to avoid coupling
-	tmpContent, tmpContentShortCodes := extractAndRenderShortcodes(string(p.rawContent), p, t)
+	tmpContent, tmpContentShortCodes, _ := extractAndRenderShortcodes(string(p.rawContent), p, t)
 	p.rawContent = []byte(tmpContent)
 	p.contentShortCodes = tmpContentShortCodes
 
diff --git a/hugolib/shortcode.go b/hugolib/shortcode.go
index 722c86db0..2a973f99b 100644
--- a/hugolib/shortcode.go
+++ b/hugolib/shortcode.go
@@ -125,7 +125,11 @@ func (sc shortcode) String() string {
 // HandleShortcodes does all in  one go: extract, render and replace
 // only used for testing
 func HandleShortcodes(stringToParse string, page *Page, t tpl.Template) (string, error) {
-	tmpContent, tmpShortcodes := extractAndRenderShortcodes(stringToParse, page, t)
+	tmpContent, tmpShortcodes, err := extractAndRenderShortcodes(stringToParse, page, t)
+
+	if err != nil {
+		return "", err
+	}
 
 	if len(tmpShortcodes) > 0 {
 		tmpContentWithTokensReplaced, err := replaceShortcodeTokens([]byte(tmpContent), shortcodePlaceholderPrefix, true, tmpShortcodes)
@@ -236,7 +240,7 @@ func renderShortcode(sc shortcode, p *Page, t tpl.Template) string {
 	return renderShortcodeWithPage(tmpl, data)
 }
 
-func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) (string, map[string]string) {
+func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) (string, map[string]string, error) {
 
 	content, shortcodes, err := extractShortcodes(stringToParse, p, t)
 	renderedShortcodes := make(map[string]string)
@@ -255,7 +259,7 @@ func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) (
 		}
 	}
 
-	return content, renderedShortcodes
+	return content, renderedShortcodes, err
 
 }
 
diff --git a/hugolib/shortcode_test.go b/hugolib/shortcode_test.go
index e583a5ce3..742a02ffe 100644
--- a/hugolib/shortcode_test.go
+++ b/hugolib/shortcode_test.go
@@ -31,6 +31,35 @@ func CheckShortCodeMatch(t *testing.T, input, expected string, template tpl.Temp
 	}
 }
 
+func TestShortcodeGoFuzzReports(t *testing.T) {
+	tem := tpl.New()
+
+	tem.AddInternalShortcode("sc.html", `foo`)
+	p, _ := pageFromString(SIMPLE_PAGE, "simple.md")
+
+	for i, this := range []struct {
+		data      string
+		expectErr bool
+	}{
+		{"{{</*/", true},
+	} {
+		output, err := HandleShortcodes(this.data, p, tem)
+
+		if this.expectErr && err == nil {
+			t.Errorf("[%d] should have errored", i)
+		}
+
+		if !this.expectErr && err != nil {
+			t.Errorf("[%d] should not have errored: %s", i, err)
+		}
+
+		if !this.expectErr && err == nil && len(output) == 0 {
+			t.Errorf("[%d] empty result", i)
+		}
+	}
+
+}
+
 func TestNonSC(t *testing.T) {
 	tem := tpl.New()
 	// notice the syntax diff from 0.12, now comment delims must be added
diff --git a/hugolib/shortcodeparser.go b/hugolib/shortcodeparser.go
index 5621a382f..2efebbe4b 100644
--- a/hugolib/shortcodeparser.go
+++ b/hugolib/shortcodeparser.go
@@ -325,7 +325,7 @@ func lexShortcodeLeftDelim(l *pagelexer) stateFunc {
 
 func lexShortcodeComment(l *pagelexer) stateFunc {
 	posRightComment := strings.Index(l.input[l.pos:], rightComment)
-	if posRightComment < 0 {
+	if posRightComment <= 1 {
 		return l.errorf("comment must be closed")
 	}
 	// we emit all as text, except the comment markers