summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-02-18 01:32:14 +0000
committerGitHub <noreply@github.com>2021-02-18 02:32:14 +0100
commit7ab6c77b4120d96b3239f827da8b858f65c36863 (patch)
tree658af939da8845e75f422471bbbc2dd36455f4b3
parentec06eb112c92d4c49248e69648df6f13e10dff18 (diff)
downloadgitea-7ab6c77b4120d96b3239f827da8b858f65c36863.tar.gz
gitea-7ab6c77b4120d96b3239f827da8b858f65c36863.zip
Remove NULs byte arrays passed to PostProcess (#14587)
PostProcess is supposed to be parsing and handling HTML fragments, but on fuzzing it appears that there is a weird issue with NUL elements that could cause a memory address error in downstream libraries. The simplest solution is to strip out the weird NULs - they should not be there in any case and would be stripped out anyway. Signed-off-by: Andrew Thornton <art27@cantab.net>
-rw-r--r--modules/markup/html.go24
1 files changed, 23 insertions, 1 deletions
diff --git a/modules/markup/html.go b/modules/markup/html.go
index 67aec7371c..2c2feb0b34 100644
--- a/modules/markup/html.go
+++ b/modules/markup/html.go
@@ -324,8 +324,30 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) {
// give a generous extra 50 bytes
res := make([]byte, 0, len(rawHTML)+50)
+
+ // prepend "<html><body>"
res = append(res, "<html><body>"...)
- res = append(res, rawHTML...)
+
+ // Strip out nuls - they're always invalid
+ start := bytes.IndexByte(rawHTML, '\000')
+ if start >= 0 {
+ res = append(res, rawHTML[:start]...)
+ start++
+ for start < len(rawHTML) {
+ end := bytes.IndexByte(rawHTML[start:], '\000')
+ if end < 0 {
+ res = append(res, rawHTML[start:]...)
+ break
+ } else if end > 0 {
+ res = append(res, rawHTML[start:start+end]...)
+ }
+ start += end + 1
+ }
+ } else {
+ res = append(res, rawHTML...)
+ }
+
+ // close the tags
res = append(res, "</body></html>"...)
// parse the HTML