From 4b3ebda0e78983682003e027a2da46d38f3ef76c Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sat, 19 Feb 2022 15:25:31 +0000
Subject: [PATCH] Fix panic in EscapeReader (#18820)

There is a potential panic due to a mistaken resetting of the length parameter when
multibyte characters go over a read boundary.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/charset/escape.go      | 1 +
 modules/charset/escape_test.go | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/modules/charset/escape.go b/modules/charset/escape.go
index abe813b465a..d2e8fb0d870 100644
--- a/modules/charset/escape.go
+++ b/modules/charset/escape.go
@@ -74,6 +74,7 @@ readingloop:
 	for err == nil {
 		n, err = text.Read(buf[readStart:])
 		bs := buf[:n+readStart]
+		n = len(bs)
 		i := 0
 
 		for i < len(bs) {
diff --git a/modules/charset/escape_test.go b/modules/charset/escape_test.go
index dec92b49929..1804381413b 100644
--- a/modules/charset/escape_test.go
+++ b/modules/charset/escape_test.go
@@ -200,3 +200,12 @@ func TestEscapeControlReader(t *testing.T) {
 		})
 	}
 }
+
+func TestEscapeControlReader_panic(t *testing.T) {
+	bs := make([]byte, 0, 20479)
+	bs = append(bs, 'A')
+	for i := 0; i < 6826; i++ {
+		bs = append(bs, []byte("—")...)
+	}
+	_, _ = EscapeControlBytes(bs)
+}