From b661bbaed7eb31508f5caeebe25d7b379dafb629 Mon Sep 17 00:00:00 2001 From: Gusted Date: Mon, 8 Nov 2021 04:28:16 +0100 Subject: [PATCH] backport(1.15): make `ParsePatch` more robust (#17580) - Backport of https://github.com/go-gitea/gitea/pull/17573 --- services/gitdiff/gitdiff.go | 11 ++++++++++- services/gitdiff/gitdiff_test.go | 19 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go index 4be115f03013..0f58511d8943 100644 --- a/services/gitdiff/gitdiff.go +++ b/services/gitdiff/gitdiff.go @@ -831,7 +831,12 @@ parsingLoop: case strings.HasPrefix(line, "--- "): // Handle ambiguous filenames if curFile.IsAmbiguous { - if len(line) > 6 && line[4] == 'a' { + // The shortest string that can end up here is: + // "--- a\t\n" without the qoutes. + // This line has a len() of 7 but doesn't contain a oldName. + // So the amount that the line need is at least 8 or more. + // The code will otherwise panic for a out-of-bounds. + if len(line) > 7 && line[4] == 'a' { curFile.OldName = line[6 : len(line)-1] if line[len(line)-2] == '\t' { curFile.OldName = curFile.OldName[:len(curFile.OldName)-1] @@ -1186,6 +1191,10 @@ func readFileName(rd *strings.Reader) (string, bool) { _ = rd.UnreadByte() if char == '"' { fmt.Fscanf(rd, "%q ", &name) + if len(name) == 0 { + log.Error("Reader has no file name: %v", rd) + return "", true + } if name[0] == '\\' { name = name[1:] } diff --git a/services/gitdiff/gitdiff_test.go b/services/gitdiff/gitdiff_test.go index 6f8540ab5b12..c72fe776b2d3 100644 --- a/services/gitdiff/gitdiff_test.go +++ b/services/gitdiff/gitdiff_test.go @@ -539,3 +539,22 @@ func TestDiffToHTML_14231(t *testing.T) { assertEqual(t, expected, output) } + +func TestNoCrashes(t *testing.T) { + type testcase struct { + gitdiff string + } + + tests := []testcase{ + { + gitdiff: "diff --git \n--- a\t\n", + }, + { + gitdiff: "diff --git \"0\n", + }, + } + for _, testcase := range tests { + // It shouldn't crash, so don't care about the output. + ParsePatch(setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffLineCharacters, setting.Git.MaxGitDiffFiles, strings.NewReader(testcase.gitdiff)) + } +}