fix(tinyxml2): CVE-2024-50614/50615 - fix integer overflow in char refs

deepin-ci-robot · hudeng-go · deepin-ci-robot · commit 709bd6a72a45 · 2026-05-27T14:49:05.000+08:00
Fix integer overflow vulnerability in XML character reference parsing. The code could overflow when parsing large numeric character references. - Use uint32_t instead of unsigned long for UCS values - Add MAX_CODE_POINT check (0x10FFFF) to prevent overflow - Remove unnecessary assertion checks that don't prevent overflow Upstream: leethomason/tinyxml2@494735de30c9 Generated-By: glm-5.1 Co-Authored-By: hudeng <hudeng@deepin.org>
diff --git a/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch b/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch
@@ -1,75 +1,72 @@
-Index: tinyxml2/tinyxml2.cpp
-===================================================================
---- tinyxml2.orig/tinyxml2.cpp
-+++ tinyxml2/tinyxml2.cpp
-@@ -472,11 +472,11 @@ const char* XMLUtil::GetCharacterRef( co
-     // Presume an entity, and pull it out.
-     *length = 0;
- 
+--- a/tinyxml2.cpp
++++ b/tinyxml2.cpp
+@@ -471,12 +471,13 @@
+ {
+     // Presume an entity, and pull it out.
+     *length = 0;
 +    static const uint32_t MAX_CODE_POINT = 0x10FFFF;
-+
-     if ( *(p+1) == '#' && *(p+2) ) {
--        unsigned long ucs = 0;
--        TIXMLASSERT( sizeof( ucs ) >= 4 );
--        ptrdiff_t delta = 0;
--        unsigned mult = 1;
-+        uint32_t ucs = 0;
-+        uint32_t mult = 1;
-         static const char SEMICOLON = ';';
- 
-         if ( *(p+2) == 'x' ) {
-@@ -497,7 +497,7 @@ const char* XMLUtil::GetCharacterRef( co
-             --q;
- 
-             while ( *q != 'x' ) {
--                unsigned int digit = 0;
-+                uint32_t digit = 0;
- 
-                 if ( *q >= '0' && *q <= '9' ) {
-                     digit = *q - '0';
-@@ -512,11 +512,12 @@ const char* XMLUtil::GetCharacterRef( co
-                     return 0;
-                 }
-                 TIXMLASSERT( digit < 16 );
--                TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
--                const unsigned int digitScaled = mult * digit;
--                TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
-+                const uint32_t digitScaled = mult * digit;
-                 ucs += digitScaled;
--                TIXMLASSERT( mult <= UINT_MAX / 16 );
+ 
+     if ( *(p+1) == '#' && *(p+2) ) {
+-        unsigned long ucs = 0;
++        uint32_t ucs = 0;
+         TIXMLASSERT( sizeof( ucs ) >= 4 );
+         ptrdiff_t delta = 0;
+-        unsigned mult = 1;
++        uint32_t mult = 1;
+         static const char SEMICOLON = ';';
+ 
+         if ( *(p+2) == 'x' ) {
+@@ -497,7 +498,7 @@
+             --q;
+ 
+             while ( *q != 'x' ) {
+-                unsigned int digit = 0;
++                uint32_t digit = 0;
+ 
+                 if ( *q >= '0' && *q <= '9' ) {
+                     digit = *q - '0';
+@@ -512,11 +513,11 @@
+                     return 0;
+                 }
+                 TIXMLASSERT( digit < 16 );
+-                TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
+-                const unsigned int digitScaled = mult * digit;
+-                TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
++                const uint32_t digitScaled = mult * digit;
+                 ucs += digitScaled;
+-                TIXMLASSERT( mult <= UINT_MAX / 16 );
 +                if (ucs > MAX_CODE_POINT) {
 +                    return 0;
 +                }
-+
-                 mult *= 16;
-                 --q;
-             }
-@@ -540,22 +541,23 @@ const char* XMLUtil::GetCharacterRef( co
- 
-             while ( *q != '#' ) {
-                 if ( *q >= '0' && *q <= '9' ) {
--                    const unsigned int digit = *q - '0';
-+                    const uint32_t digit = *q - '0';
-                     TIXMLASSERT( digit < 10 );
--                    TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
--                    const unsigned int digitScaled = mult * digit;
--                    TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
-+                    const uint32_t digitScaled = mult * digit;
-                     ucs += digitScaled;
-+                    if (ucs > MAX_CODE_POINT) {
-+                        return 0;
-+                    }
-                 }
-                 else {
-                     return 0;
-                 }
--                TIXMLASSERT( mult <= UINT_MAX / 10 );
-                 mult *= 10;
-                 --q;
-             }
-         }
-         // convert the UCS to UTF-8
+                 mult *= 16;
+                 --q;
+             }
+@@ -540,22 +541,23 @@
+ 
+             while ( *q != '#' ) {
+                 if ( *q >= '0' && *q <= '9' ) {
+-                    const unsigned int digit = *q - '0';
++                    const uint32_t digit = *q - '0';
+                     TIXMLASSERT( digit < 10 );
+-                    TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
+-                    const unsigned int digitScaled = mult * digit;
+-                    TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
++                    const uint32_t digitScaled = mult * digit;
+                     ucs += digitScaled;
++                if (ucs > MAX_CODE_POINT) {
++                    return 0;
++                }
+                 }
+                 else {
+                     return 0;
+                 }
+-                TIXMLASSERT( mult <= UINT_MAX / 10 );
+                 mult *= 10;
+                 --q;
+             }
+         }
+         // convert the UCS to UTF-8
 +        TIXMLASSERT(ucs <= MAX_CODE_POINT);
-         ConvertUTF32ToUTF8( ucs, value, length );
-         return p + delta + 1;
-     }
+         ConvertUTF32ToUTF8( ucs, value, length );
+         return p + delta + 1;
+     }
