From 9da164227d682ec31325b69a3fdd0278f00f9c8b Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 27 Jul 2021 20:15:21 +0100
Subject: [PATCH] [Fix] Fix overflow when appending many broken tags

---
 src/libserver/html/html.cxx | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/libserver/html/html.cxx b/src/libserver/html/html.cxx
index 9c96f2bb9..716d944ea 100644
--- a/src/libserver/html/html.cxx
+++ b/src/libserver/html/html.cxx
@@ -1082,8 +1082,8 @@ html_append_tag_content(rspamd_mempool_t *pool,
 			tag->closing.end = tag->closing.start;
 		}
 		else {
-			next_tag_offset = len;
-			tag->closing.end = len;
+			next_tag_offset = tag->content_offset;
+			tag->closing.end = tag->content_offset;
 		}
 	}
 	if (tag->closing.start == -1) {
@@ -1881,6 +1881,14 @@ html_process_input(rspamd_mempool_t *pool,
 		}
 	}
 
+	if (cur_tag && !(cur_tag->flags & FL_CLOSED) && cur_tag != &cur_closing_tag) {
+		cur_closing_tag.parent = cur_tag;
+		cur_closing_tag.id = cur_tag->id;
+		cur_tag = &cur_closing_tag;
+		html_check_balance(hc, cur_tag,
+				end - start, end - start);
+	}
+
 	/* Propagate styles */
 	hc->traverse_block_tags([&hc, &pool](const html_tag *tag) -> bool {
 
-- 
2.39.5