forked from gitea/gitea
Remove NULs byte arrays passed to PostProcess (#14587)
PostProcess is supposed to be parsing and handling HTML fragments, but on fuzzing it appears that there is a weird issue with NUL elements that could cause a memory address error in downstream libraries. The simplest solution is to strip out the weird NULs - they should not be there in any case and would be stripped out anyway. Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
parent
ec06eb112c
commit
7ab6c77b41
|
@ -324,8 +324,30 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) {
|
||||||
|
|
||||||
// give a generous extra 50 bytes
|
// give a generous extra 50 bytes
|
||||||
res := make([]byte, 0, len(rawHTML)+50)
|
res := make([]byte, 0, len(rawHTML)+50)
|
||||||
|
|
||||||
|
// prepend "<html><body>"
|
||||||
res = append(res, "<html><body>"...)
|
res = append(res, "<html><body>"...)
|
||||||
res = append(res, rawHTML...)
|
|
||||||
|
// Strip out nuls - they're always invalid
|
||||||
|
start := bytes.IndexByte(rawHTML, '\000')
|
||||||
|
if start >= 0 {
|
||||||
|
res = append(res, rawHTML[:start]...)
|
||||||
|
start++
|
||||||
|
for start < len(rawHTML) {
|
||||||
|
end := bytes.IndexByte(rawHTML[start:], '\000')
|
||||||
|
if end < 0 {
|
||||||
|
res = append(res, rawHTML[start:]...)
|
||||||
|
break
|
||||||
|
} else if end > 0 {
|
||||||
|
res = append(res, rawHTML[start:start+end]...)
|
||||||
|
}
|
||||||
|
start += end + 1
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
res = append(res, rawHTML...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// close the tags
|
||||||
res = append(res, "</body></html>"...)
|
res = append(res, "</body></html>"...)
|
||||||
|
|
||||||
// parse the HTML
|
// parse the HTML
|
||||||
|
|
Loading…
Reference in New Issue