From 7ab6c77b4120d96b3239f827da8b858f65c36863 Mon Sep 17 00:00:00 2001 From: zeripath Date: Thu, 18 Feb 2021 01:32:14 +0000 Subject: [PATCH] Remove NULs byte arrays passed to PostProcess (#14587) PostProcess is supposed to be parsing and handling HTML fragments, but on fuzzing it appears that there is a weird issue with NUL elements that could cause a memory address error in downstream libraries. The simplest solution is to strip out the weird NULs - they should not be there in any case and would be stripped out anyway. Signed-off-by: Andrew Thornton --- modules/markup/html.go | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/modules/markup/html.go b/modules/markup/html.go index 67aec7371c..2c2feb0b34 100644 --- a/modules/markup/html.go +++ b/modules/markup/html.go @@ -324,8 +324,30 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) { // give a generous extra 50 bytes res := make([]byte, 0, len(rawHTML)+50) + + // prepend "" res = append(res, ""...) - res = append(res, rawHTML...) + + // Strip out nuls - they're always invalid + start := bytes.IndexByte(rawHTML, '\000') + if start >= 0 { + res = append(res, rawHTML[:start]...) + start++ + for start < len(rawHTML) { + end := bytes.IndexByte(rawHTML[start:], '\000') + if end < 0 { + res = append(res, rawHTML[start:]...) + break + } else if end > 0 { + res = append(res, rawHTML[start:start+end]...) + } + start += end + 1 + } + } else { + res = append(res, rawHTML...) + } + + // close the tags res = append(res, ""...) // parse the HTML