If they are, it strips them off and then returns the original message, m.
And I'll just note for completeness that the number zero bits is fixed and so
even if the message m, happens to end in a certain number of
zero bits those will not be striped off and thrown away.
The receiver knows exactly which bits are supposed to be stripped off and
which bits are part of the original message.
It turns that out that RSA-OAEP can be proven to be
secure against chosen ciphertext attacks under the RSA assumption if we're
willing to model our functions G and H as independent random oracles.
And this is now again the second time in the class when we're seeing this notion
of modeling hash functions as random oracles.
We didn't go into this formally but again think about it as viewing some hash
functions that are used to construct G and H as making G and H act as if, or
behave as it, they're completely random functions.