diff options
author | zeripath <art27@cantab.net> | 2021-02-18 01:32:14 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-18 02:32:14 +0100 |
commit | 7ab6c77b4120d96b3239f827da8b858f65c36863 (patch) | |
tree | 658af939da8845e75f422471bbbc2dd36455f4b3 | |
parent | ec06eb112c92d4c49248e69648df6f13e10dff18 (diff) | |
download | gitea-7ab6c77b4120d96b3239f827da8b858f65c36863.tar.gz gitea-7ab6c77b4120d96b3239f827da8b858f65c36863.zip |
Remove NULs byte arrays passed to PostProcess (#14587)
PostProcess is supposed to be parsing and handling HTML
fragments, but on fuzzing it appears that there is a weird
issue with NUL elements that could cause a memory address
error in downstream libraries.
The simplest solution is to strip out the weird NULs - they
should not be there in any case and would be stripped out
anyway.
Signed-off-by: Andrew Thornton <art27@cantab.net>
-rw-r--r-- | modules/markup/html.go | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/modules/markup/html.go b/modules/markup/html.go index 67aec7371c..2c2feb0b34 100644 --- a/modules/markup/html.go +++ b/modules/markup/html.go @@ -324,8 +324,30 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) { // give a generous extra 50 bytes res := make([]byte, 0, len(rawHTML)+50) + + // prepend "<html><body>" res = append(res, "<html><body>"...) - res = append(res, rawHTML...) + + // Strip out nuls - they're always invalid + start := bytes.IndexByte(rawHTML, '\000') + if start >= 0 { + res = append(res, rawHTML[:start]...) + start++ + for start < len(rawHTML) { + end := bytes.IndexByte(rawHTML[start:], '\000') + if end < 0 { + res = append(res, rawHTML[start:]...) + break + } else if end > 0 { + res = append(res, rawHTML[start:start+end]...) + } + start += end + 1 + } + } else { + res = append(res, rawHTML...) + } + + // close the tags res = append(res, "</body></html>"...) // parse the HTML |