From 7ab6c77b4120d96b3239f827da8b858f65c36863 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Thu, 18 Feb 2021 01:32:14 +0000
Subject: [PATCH] Remove NULs byte arrays passed to PostProcess (#14587)

PostProcess is supposed to be parsing and handling HTML
fragments, but on fuzzing it appears that there is a weird
issue with NUL elements that could cause a memory address
error in downstream libraries.

The simplest solution is to strip out the weird NULs - they
should not be there in any case and would be stripped out
anyway.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/markup/html.go | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/modules/markup/html.go b/modules/markup/html.go
index 67aec7371c..2c2feb0b34 100644
--- a/modules/markup/html.go
+++ b/modules/markup/html.go
@@ -324,8 +324,30 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) {
 
 	// give a generous extra 50 bytes
 	res := make([]byte, 0, len(rawHTML)+50)
+
+	// prepend "<html><body>"
 	res = append(res, "<html><body>"...)
-	res = append(res, rawHTML...)
+
+	// Strip out nuls - they're always invalid
+	start := bytes.IndexByte(rawHTML, '\000')
+	if start >= 0 {
+		res = append(res, rawHTML[:start]...)
+		start++
+		for start < len(rawHTML) {
+			end := bytes.IndexByte(rawHTML[start:], '\000')
+			if end < 0 {
+				res = append(res, rawHTML[start:]...)
+				break
+			} else if end > 0 {
+				res = append(res, rawHTML[start:start+end]...)
+			}
+			start += end + 1
+		}
+	} else {
+		res = append(res, rawHTML...)
+	}
+
+	// close the tags
 	res = append(res, "</body></html>"...)
 
 	// parse the HTML