Skip to content

Commit d44449b

Browse files
deepin-ci-robothudeng-go
authored andcommitted
Fix potential overflow in char refs. - CVE-2024-50614: reachable assertion for UINT_MAX/16 in GetCharacterRef - CVE-2024-50615: reachable assertion for UINT_MAX/digit in GetCharacterRef Upstream: leethomason/tinyxml2@494735de30c9 Generated-By: glm-5.1 Co-Authored-By: hudeng <hudeng@deepin.org>
1 parent 1fe3d73 commit d44449b

3 files changed

Lines changed: 84 additions & 0 deletions

File tree

debian/changelog

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
tinyxml2 (9.0.0+dfsg-3deepin1) unstable; urgency=medium
2+
3+
* Fix potential overflow in char refs (CVE-2024-50614, CVE-2024-50615)
4+
- Patch from upstream commit 494735de30c9
5+
- Fixes reachable assertion in XMLUtil::GetCharacterRef
6+
7+
-- deepin-ci-robot <packages@deepin.org> Tue, 26 May 2026 23:30:00 +0800
8+
19
tinyxml2 (9.0.0+dfsg-3) unstable; urgency=medium
210

311
* [a6e98f0] Drop Provides/Conflicts libtinyxml2-8 (Closes: #992602)
Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
Index: tinyxml2/tinyxml2.cpp
2+
===================================================================
3+
--- tinyxml2.orig/tinyxml2.cpp
4+
+++ tinyxml2/tinyxml2.cpp
5+
@@ -472,11 +472,11 @@ const char* XMLUtil::GetCharacterRef( co
6+
// Presume an entity, and pull it out.
7+
*length = 0;
8+
9+
+ static const uint32_t MAX_CODE_POINT = 0x10FFFF;
10+
+
11+
if ( *(p+1) == '#' && *(p+2) ) {
12+
- unsigned long ucs = 0;
13+
- TIXMLASSERT( sizeof( ucs ) >= 4 );
14+
- ptrdiff_t delta = 0;
15+
- unsigned mult = 1;
16+
+ uint32_t ucs = 0;
17+
+ uint32_t mult = 1;
18+
static const char SEMICOLON = ';';
19+
20+
if ( *(p+2) == 'x' ) {
21+
@@ -497,7 +497,7 @@ const char* XMLUtil::GetCharacterRef( co
22+
--q;
23+
24+
while ( *q != 'x' ) {
25+
- unsigned int digit = 0;
26+
+ uint32_t digit = 0;
27+
28+
if ( *q >= '0' && *q <= '9' ) {
29+
digit = *q - '0';
30+
@@ -512,11 +512,12 @@ const char* XMLUtil::GetCharacterRef( co
31+
return 0;
32+
}
33+
TIXMLASSERT( digit < 16 );
34+
- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
35+
- const unsigned int digitScaled = mult * digit;
36+
- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
37+
+ const uint32_t digitScaled = mult * digit;
38+
ucs += digitScaled;
39+
- TIXMLASSERT( mult <= UINT_MAX / 16 );
40+
+ if (ucs > MAX_CODE_POINT) {
41+
+ return 0;
42+
+ }
43+
+
44+
mult *= 16;
45+
--q;
46+
}
47+
@@ -540,22 +541,23 @@ const char* XMLUtil::GetCharacterRef( co
48+
49+
while ( *q != '#' ) {
50+
if ( *q >= '0' && *q <= '9' ) {
51+
- const unsigned int digit = *q - '0';
52+
+ const uint32_t digit = *q - '0';
53+
TIXMLASSERT( digit < 10 );
54+
- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
55+
- const unsigned int digitScaled = mult * digit;
56+
- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
57+
+ const uint32_t digitScaled = mult * digit;
58+
ucs += digitScaled;
59+
+ if (ucs > MAX_CODE_POINT) {
60+
+ return 0;
61+
+ }
62+
}
63+
else {
64+
return 0;
65+
}
66+
- TIXMLASSERT( mult <= UINT_MAX / 10 );
67+
mult *= 10;
68+
--q;
69+
}
70+
}
71+
// convert the UCS to UTF-8
72+
+ TIXMLASSERT(ucs <= MAX_CODE_POINT);
73+
ConvertUTF32ToUTF8( ucs, value, length );
74+
return p + delta + 1;
75+
}

debian/patches/series

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
11
Set-visibility-to-hidden-for-private-functions.patch
2+
Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch

0 commit comments

Comments
 (0)