1From f7ca0035d17a663f55668e662b840afce7b86112 Mon Sep 17 00:00:00 2001 2From: Christian Voegl <cvoegl@suse.com> 3Date: Wed, 27 Oct 2021 11:25:18 +0200 4Subject: [PATCH] In stamp always advance the pointer if *p= 0xef 5 6The current implementation only advanced if 0xef is followed 7by two non-zero bytes. In case of malformed input (0xef should be 8the start byte of a three byte character) this leads to an infinite 9loop. (CVE-2021-42260) 10 11[Retrieved (and backported) from: 12https://sourceforge.net/p/tinyxml/git/merge-requests/1] 13Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 14--- 15 tinyxmlparser.cpp | 6 ++++++ 16 1 file changed, 6 insertions(+) 17 18diff --git a/src/tinyxmlparser.cpp b/src/tinyxmlparser.cpp 19index 81b7eae..8aa0dfa 100755 20--- a/src/tinyxmlparser.cpp 21+++ b/src/tinyxmlparser.cpp 22@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding ) 23 else 24 { p +=3; ++col; } // A normal character. 25 } 26+ else 27+ { 28+ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so 29+ // there is something wrong here. Just advance the pointer to evade infinite loops 30+ ++p; 31+ } 32 } 33 else 34 { 35-- 362.34.1 37 38