Skip to content

Commit

Permalink
fix unbounded memory consumption vulnerability (#111)
Browse files Browse the repository at this point in the history 
Co-authored-by: Helena Mariano <31138349+helenamariano@users.noreply.github.com>
  • Loading branch information
@helenamariano
helenamariano committed Jul 18, 2022
1 parent b19021a commit 42bcff6
Show file tree
Hide file tree
Showing 5 changed files with 8 additions and 5 deletions.
2 changes: 1 addition & 1 deletion docx.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ func ConvertDocx(r io.Reader) (string, map[string]string, error) {
size = si.Size()
ra = f
} else {
b, err := ioutil.ReadAll(r)
b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
if err != nil {
return "", nil, nil
}
Expand Down
3 changes: 3 additions & 0 deletions limit.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
package docconv

const maxBytes = 20 << 20 // 20MB
2 changes: 1 addition & 1 deletion odt.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ func ConvertODT(r io.Reader) (string, map[string]string, error) {
meta := make(map[string]string)
var textBody string

b, err := ioutil.ReadAll(r)
b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
if err != nil {
return "", nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion pages.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ func ConvertPages(r io.Reader) (string, map[string]string, error) {
meta := make(map[string]string)
var textBody string

b, err := ioutil.ReadAll(r)
b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
if err != nil {
return "", nil, fmt.Errorf("error reading data: %v", err)
}
Expand Down
4 changes: 2 additions & 2 deletions xml.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ func ConvertXML(r io.Reader) (string, map[string]string, error) {
func XMLToText(r io.Reader, breaks []string, skip []string, strict bool) (string, error) {
var result string

dec := xml.NewDecoder(r)
dec := xml.NewDecoder(io.LimitReader(r, maxBytes))
dec.Strict = strict
for {
t, err := dec.Token()
Expand Down Expand Up @@ -76,7 +76,7 @@ func XMLToText(r io.Reader, breaks []string, skip []string, strict bool) (string
// XMLToMap converts XML to a nested string map.
func XMLToMap(r io.Reader) (map[string]string, error) {
m := make(map[string]string)
dec := xml.NewDecoder(r)
dec := xml.NewDecoder(io.LimitReader(r, maxBytes))
var tagName string
for {
t, err := dec.Token()
Expand Down

0 comments on commit 42bcff6

Please sign in to comment.