fix(input): sanitize incoming text against invalid UTF-8 (A3)#44
Open
Vadim1987 wants to merge 1 commit into
Open
fix(input): sanitize incoming text against invalid UTF-8 (A3)#44Vadim1987 wants to merge 1 commit into
Vadim1987 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Invalid UTF-8 reaching the input model makes
string.ulenreturn nil, and the model does unguarded arithmetic on that in several places: a multi-line paste crashes at userInputModel.lua:120,set_textwith a string at :475, and with a table at :730 (ulen(...) + 1in each case). A single-line paste doesn't crash — it silently plants the invalid bytes intoentered, which is what makes the render loop bail out early every frame (see the companion draw-stack PR).The fix sanitizes text at the model's entry points (
add_text, both branches ofset_text): bytes that don't form valid UTF-8 are dropped, usingutf8.len's error position to cut them out. Invalid bytes can arrive through the clipboard (pastein userInputController) or through the project-facing input API. Sanitizing at the boundary keeps the invariant "entered never holds invalid bytes", which covers everyulenarithmetic site in the model at once — there are more of them than the three that crash today.One call worth surfacing: invalid bytes are dropped, not replaced with U+FFFD. A visible replacement character would land inside source code and produce a compile error that's hard to explain to a child, and rejecting the whole paste over one bad byte felt harsher than losing it. If visible markers are preferred, it's a one-line change in the sanitizer.
Companion to the draw-stack fix: with the boundary invariant in place, the view's nil-ulen branch becomes unreachable in practice; the other PR makes it safe even if reached.