Crash in html.go found from fuzzing #6446

New Issue

Closed

opened 2025-11-02 06:56:14 -06:00 by GiteaMirror · 3 comments

GiteaMirror commented 2025-11-02 06:56:14 -06:00

Owner

Copy Link

Originally created by @AdamKorcz on GitHub (Dec 3, 2020).

This is a bug report for a crash found with the PostProcess fuzzer from here.

The version of gitea is the the master branch downloaded with git clone https://github.com/go-gitea/gitea

Stacktrace:

goroutine 17 [running, locked to thread]:
code.gitea.io/gitea/modules/markup.shortLinkProcessorFull(0x10c001189f80, 0x10c000341500, 0x0)
        code.gitea.io/gitea/modules/markup/html.go:660 +0x25e5
code.gitea.io/gitea/modules/markup.shortLinkProcessor(0x10c001189f80, 0x10c000341500)
        code.gitea.io/gitea/modules/markup/html.go:607 +0x4b
code.gitea.io/gitea/modules/markup.(*postProcessCtx).textNode(0x10c001189f80, 0x10c000341500)
        code.gitea.io/gitea/modules/markup/html.go:440 +0x7d
code.gitea.io/gitea/modules/markup.(*postProcessCtx).visitNode(0x10c001189f80, 0x10c000341500, 0x7fe4b1d20101)
        code.gitea.io/gitea/modules/markup/html.go:380 +0x1525
code.gitea.io/gitea/modules/markup.(*postProcessCtx).visitNode(0x10c001189f80, 0x10c000341420, 0x1)
        code.gitea.io/gitea/modules/markup/html.go:430 +0x66c
code.gitea.io/gitea/modules/markup.(*postProcessCtx).visitNode(0x10c001189f80, 0x10c000341340, 0x1)
        code.gitea.io/gitea/modules/markup/html.go:430 +0x66c
code.gitea.io/gitea/modules/markup.(*postProcessCtx).postProcess(0x10c001189f80, 0x60800001bea0, 0x60, 0x60, 0x683286c0dcf93c66, 0x10c001edddd8, 0x56422f, 0x1725480, 0x10c0006a4360)
        code.gitea.io/gitea/modules/markup/html.go:341 +0x305
code.gitea.io/gitea/modules/markup.PostProcess(0x60800001bea0, 0x60, 0x60, 0xf1f147, 0x4, 0x10c000675f20, 0x0, 0x10c0001d2c59, 0x0, 0x56a394, ...)
        code.gitea.io/gitea/modules/markup/html.go:193 +0xdd
code.gitea.io/gitea/fuzz.Fuzz2(0x60800001bea0, 0x60, 0x60, 0x18)
        code.gitea.io/gitea/fuzz/fuzz.go:24 +0x12f
main.LLVMFuzzerTestOneInput(...)
        command-line-arguments/main.711778661.go:21
main._cgoexpwrap_441dadf043a3_LLVMFuzzerTestOneInput(0x60800001bea0, 0x60, 0x1e6d000)
        _cgo_gotypes.go:53 +0x5c
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000b (pc 0x0000005c1481 bp 0x10c001edcf90 sp 0x10c001edcf78 T0)
SCARINESS: 10 (signal)
    #0 0x5c1481 in runtime.raise runtime/sys_linux_amd64.s:165

DEDUP_TOKEN: runtime.raise
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT runtime/sys_linux_amd64.s:165 in runtime.raise
==11==ABORTING

Input buffer:

0x52,0xfe,0xff,0x0,0x0,0x44,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x5b,0x5b,0x30,0x5b,0x3a,0x3a,0x3a,0x3d,0x0,0x27,0x0,0x5d,0x5d,0x21,0x5d,0x3a,0x21,0x0,0xd1,0x82,0x0,0x44,0x1,0x0,0x0,0x0,0x6f,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x5b,0x5b,0x30,0x5b,0x3a,0x3a,0x3d,0x27,0x3a,0x8,0x0,0x0,0x0,0x80,0x5d,0x5d,0x5d,0x21,0x5d,0x3a,0x21,0x0,0xd1,0x82,0x0,0xcc,0x5b,0x3c,0x3c,0x5b,0x31,0x5b,0x7c,0x3c,0x3c,0x3a,0x3a,0x5b,0x5b,0xdf,0x0

or with ASCII characters:

R\xfe\xff\x00\x00D\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[[0[:::=\x00'\x00]]!]:!\x00\xd1\x82\x00D\x01\x00\x00\x00o\x00\x00\x00\x00\x00\x00\x00\x00\x00[[0[::=':\x08\x00\x00\x00\x80]]]!]:!\x00\xd1\x82\x00\xcc[<<[1[|<<::[[\xdf\x00

Originally created by @AdamKorcz on GitHub (Dec 3, 2020). This is a bug report for a crash found with the PostProcess fuzzer from [here](https://github.com/go-gitea/gitea/pull/13818). The version of gitea is the the master branch downloaded with `git clone https://github.com/go-gitea/gitea` Stacktrace: ``` goroutine 17 [running, locked to thread]: code.gitea.io/gitea/modules/markup.shortLinkProcessorFull(0x10c001189f80, 0x10c000341500, 0x0) code.gitea.io/gitea/modules/markup/html.go:660 +0x25e5 code.gitea.io/gitea/modules/markup.shortLinkProcessor(0x10c001189f80, 0x10c000341500) code.gitea.io/gitea/modules/markup/html.go:607 +0x4b code.gitea.io/gitea/modules/markup.(*postProcessCtx).textNode(0x10c001189f80, 0x10c000341500) code.gitea.io/gitea/modules/markup/html.go:440 +0x7d code.gitea.io/gitea/modules/markup.(*postProcessCtx).visitNode(0x10c001189f80, 0x10c000341500, 0x7fe4b1d20101) code.gitea.io/gitea/modules/markup/html.go:380 +0x1525 code.gitea.io/gitea/modules/markup.(*postProcessCtx).visitNode(0x10c001189f80, 0x10c000341420, 0x1) code.gitea.io/gitea/modules/markup/html.go:430 +0x66c code.gitea.io/gitea/modules/markup.(*postProcessCtx).visitNode(0x10c001189f80, 0x10c000341340, 0x1) code.gitea.io/gitea/modules/markup/html.go:430 +0x66c code.gitea.io/gitea/modules/markup.(*postProcessCtx).postProcess(0x10c001189f80, 0x60800001bea0, 0x60, 0x60, 0x683286c0dcf93c66, 0x10c001edddd8, 0x56422f, 0x1725480, 0x10c0006a4360) code.gitea.io/gitea/modules/markup/html.go:341 +0x305 code.gitea.io/gitea/modules/markup.PostProcess(0x60800001bea0, 0x60, 0x60, 0xf1f147, 0x4, 0x10c000675f20, 0x0, 0x10c0001d2c59, 0x0, 0x56a394, ...) code.gitea.io/gitea/modules/markup/html.go:193 +0xdd code.gitea.io/gitea/fuzz.Fuzz2(0x60800001bea0, 0x60, 0x60, 0x18) code.gitea.io/gitea/fuzz/fuzz.go:24 +0x12f main.LLVMFuzzerTestOneInput(...) command-line-arguments/main.711778661.go:21 main._cgoexpwrap_441dadf043a3_LLVMFuzzerTestOneInput(0x60800001bea0, 0x60, 0x1e6d000) _cgo_gotypes.go:53 +0x5c AddressSanitizer:DEADLYSIGNAL ================================================================= ==11==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000b (pc 0x0000005c1481 bp 0x10c001edcf90 sp 0x10c001edcf78 T0) SCARINESS: 10 (signal) #0 0x5c1481 in runtime.raise runtime/sys_linux_amd64.s:165 DEDUP_TOKEN: runtime.raise AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT runtime/sys_linux_amd64.s:165 in runtime.raise ==11==ABORTING ``` Input buffer: ``` 0x52,0xfe,0xff,0x0,0x0,0x44,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x5b,0x5b,0x30,0x5b,0x3a,0x3a,0x3a,0x3d,0x0,0x27,0x0,0x5d,0x5d,0x21,0x5d,0x3a,0x21,0x0,0xd1,0x82,0x0,0x44,0x1,0x0,0x0,0x0,0x6f,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x5b,0x5b,0x30,0x5b,0x3a,0x3a,0x3d,0x27,0x3a,0x8,0x0,0x0,0x0,0x80,0x5d,0x5d,0x5d,0x21,0x5d,0x3a,0x21,0x0,0xd1,0x82,0x0,0xcc,0x5b,0x3c,0x3c,0x5b,0x31,0x5b,0x7c,0x3c,0x3c,0x3a,0x3a,0x5b,0x5b,0xdf,0x0 ``` or with ASCII characters: ``` R\xfe\xff\x00\x00D\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[[0[:::=\x00'\x00]]!]:!\x00\xd1\x82\x00D\x01\x00\x00\x00o\x00\x00\x00\x00\x00\x00\x00\x00\x00[[0[::=':\x08\x00\x00\x00\x80]]]!]:!\x00\xd1\x82\x00\xcc[<<[1[|<<::[[\xdf\x00 ```

GiteaMirror added the type/bug label 2025-11-02 06:56:14 -06:00

GiteaMirror closed this issue 2025-11-02 06:56:14 -06:00

GiteaMirror commented 2025-11-02 06:56:15 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Dec 4, 2020):

So this causes a panic which should be caught and an error page shown.

Looking at the code:

c9effd5364/modules/markup/html.go (L658-L660)

To get a panic here the length of val at this point has to be only 1 and either equal to " or '.

Thus a much simpler reproducible error is:

[[a|b=']]

E.g. https://try.gitea.io/arandomer/pathological/raw/branch/master/Another.md

https://try.gitea.io/arandomer/pathological/src/branch/master/Another.md

Now it looks like as a result of the chi pr the panic catcher has been broken as that panic should have and would have been caught by macaron previously and hidden showing a 500...

@zeripath commented on GitHub (Dec 4, 2020): So this causes a panic which should be caught and an error page shown. Looking at the code: https://github.com/go-gitea/gitea/blob/c9effd5364caaed040f78b4298a34fbf98420fba/modules/markup/html.go#L658-L660 To get a panic here the length of val at this point has to be only 1 and either equal to " or '. Thus a much simpler reproducible error is: ``` [[a|b=']] ``` E.g. https://try.gitea.io/arandomer/pathological/raw/branch/master/Another.md https://try.gitea.io/arandomer/pathological/src/branch/master/Another.md Now it looks like as a result of the chi pr the panic catcher has been broken as that panic should have and would have been caught by macaron previously and hidden showing a 500...

GiteaMirror commented 2025-11-02 06:56:15 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Dec 4, 2020):

Lines 651-664 or simply 658 should probably just get a Len check on them - a similar panic would be possible with [[a|b="]]

@zeripath commented on GitHub (Dec 4, 2020): Lines 651-664 or simply 658 should probably just get a Len check on them - a similar panic would be possible with `[[a|b="]]`

GiteaMirror commented 2025-11-02 06:56:15 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Dec 4, 2020):

Mea culpa - I added this and totally missed that ' would pass both tests. A simple Len check would definitely prevent this and is likely to be the cheapest solution.

@zeripath commented on GitHub (Dec 4, 2020): Mea culpa - I added this and totally missed that `'` would pass both tests. A simple Len check would definitely prevent this and is likely to be the cheapest solution.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#6446