From fa4041e594cd7b4814ccaf169be8e1abe0b23045 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Tue, 26 May 2026 23:35:52 +0800 Subject: [PATCH 1/2] fix(tinyxml2): CVE-2024-50614, CVE-2024-50615 Fix potential overflow in char refs. - CVE-2024-50614: reachable assertion for UINT_MAX/16 in GetCharacterRef - CVE-2024-50615: reachable assertion for UINT_MAX/digit in GetCharacterRef Upstream: https://github.com/leethomason/tinyxml2/commit/494735de30c9 Generated-By: glm-5.1 Co-Authored-By: hudeng --- debian/changelog | 8 ++ ...ow-in-char-refs-CVE-2024-50614-50615.patch | 75 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 84 insertions(+) create mode 100644 debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch diff --git a/debian/changelog b/debian/changelog index ddceab8..ad152de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +tinyxml2 (9.0.0+dfsg-3deepin1) unstable; urgency=medium + + * Fix potential overflow in char refs (CVE-2024-50614, CVE-2024-50615) + - Patch from upstream commit 494735de30c9 + - Fixes reachable assertion in XMLUtil::GetCharacterRef + + -- deepin-ci-robot Tue, 26 May 2026 23:30:00 +0800 + tinyxml2 (9.0.0+dfsg-3) unstable; urgency=medium * [a6e98f0] Drop Provides/Conflicts libtinyxml2-8 (Closes: #992602) diff --git a/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch b/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch new file mode 100644 index 0000000..49a87b8 --- /dev/null +++ b/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch @@ -0,0 +1,75 @@ +Index: tinyxml2/tinyxml2.cpp +=================================================================== +--- tinyxml2.orig/tinyxml2.cpp ++++ tinyxml2/tinyxml2.cpp +@@ -472,11 +472,11 @@ const char* XMLUtil::GetCharacterRef( co + // Presume an entity, and pull it out. + *length = 0; + ++ static const uint32_t MAX_CODE_POINT = 0x10FFFF; ++ + if ( *(p+1) == '#' && *(p+2) ) { +- unsigned long ucs = 0; +- TIXMLASSERT( sizeof( ucs ) >= 4 ); +- ptrdiff_t delta = 0; +- unsigned mult = 1; ++ uint32_t ucs = 0; ++ uint32_t mult = 1; + static const char SEMICOLON = ';'; + + if ( *(p+2) == 'x' ) { +@@ -497,7 +497,7 @@ const char* XMLUtil::GetCharacterRef( co + --q; + + while ( *q != 'x' ) { +- unsigned int digit = 0; ++ uint32_t digit = 0; + + if ( *q >= '0' && *q <= '9' ) { + digit = *q - '0'; +@@ -512,11 +512,12 @@ const char* XMLUtil::GetCharacterRef( co + return 0; + } + TIXMLASSERT( digit < 16 ); +- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); +- const unsigned int digitScaled = mult * digit; +- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); ++ const uint32_t digitScaled = mult * digit; + ucs += digitScaled; +- TIXMLASSERT( mult <= UINT_MAX / 16 ); ++ if (ucs > MAX_CODE_POINT) { ++ return 0; ++ } ++ + mult *= 16; + --q; + } +@@ -540,22 +541,23 @@ const char* XMLUtil::GetCharacterRef( co + + while ( *q != '#' ) { + if ( *q >= '0' && *q <= '9' ) { +- const unsigned int digit = *q - '0'; ++ const uint32_t digit = *q - '0'; + TIXMLASSERT( digit < 10 ); +- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); +- const unsigned int digitScaled = mult * digit; +- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); ++ const uint32_t digitScaled = mult * digit; + ucs += digitScaled; ++ if (ucs > MAX_CODE_POINT) { ++ return 0; ++ } + } + else { + return 0; + } +- TIXMLASSERT( mult <= UINT_MAX / 10 ); + mult *= 10; + --q; + } + } + // convert the UCS to UTF-8 ++ TIXMLASSERT(ucs <= MAX_CODE_POINT); + ConvertUTF32ToUTF8( ucs, value, length ); + return p + delta + 1; + } diff --git a/debian/patches/series b/debian/patches/series index 809149f..1322925 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ Set-visibility-to-hidden-for-private-functions.patch +Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch From 709bd6a72a453bfe09ddeb3439f6df3fb696e14f Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Wed, 27 May 2026 10:16:30 +0800 Subject: [PATCH 2/2] fix(tinyxml2): CVE-2024-50614/50615 - fix integer overflow in char refs Fix integer overflow vulnerability in XML character reference parsing. The code could overflow when parsing large numeric character references. - Use uint32_t instead of unsigned long for UCS values - Add MAX_CODE_POINT check (0x10FFFF) to prevent overflow - Remove unnecessary assertion checks that don't prevent overflow Upstream: https://github.com/leethomason/tinyxml2/commit/494735de30c9 Generated-By: glm-5.1 Co-Authored-By: hudeng --- ...ow-in-char-refs-CVE-2024-50614-50615.patch | 137 +++++++++--------- 1 file changed, 67 insertions(+), 70 deletions(-) diff --git a/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch b/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch index 49a87b8..7118c8a 100644 --- a/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch +++ b/debian/patches/Fix-potential-overflow-in-char-refs-CVE-2024-50614-50615.patch @@ -1,75 +1,72 @@ -Index: tinyxml2/tinyxml2.cpp -=================================================================== ---- tinyxml2.orig/tinyxml2.cpp -+++ tinyxml2/tinyxml2.cpp -@@ -472,11 +472,11 @@ const char* XMLUtil::GetCharacterRef( co - // Presume an entity, and pull it out. - *length = 0; - +--- a/tinyxml2.cpp ++++ b/tinyxml2.cpp +@@ -471,12 +471,13 @@ + { + // Presume an entity, and pull it out. + *length = 0; + static const uint32_t MAX_CODE_POINT = 0x10FFFF; -+ - if ( *(p+1) == '#' && *(p+2) ) { -- unsigned long ucs = 0; -- TIXMLASSERT( sizeof( ucs ) >= 4 ); -- ptrdiff_t delta = 0; -- unsigned mult = 1; -+ uint32_t ucs = 0; -+ uint32_t mult = 1; - static const char SEMICOLON = ';'; - - if ( *(p+2) == 'x' ) { -@@ -497,7 +497,7 @@ const char* XMLUtil::GetCharacterRef( co - --q; - - while ( *q != 'x' ) { -- unsigned int digit = 0; -+ uint32_t digit = 0; - - if ( *q >= '0' && *q <= '9' ) { - digit = *q - '0'; -@@ -512,11 +512,12 @@ const char* XMLUtil::GetCharacterRef( co - return 0; - } - TIXMLASSERT( digit < 16 ); -- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); -- const unsigned int digitScaled = mult * digit; -- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); -+ const uint32_t digitScaled = mult * digit; - ucs += digitScaled; -- TIXMLASSERT( mult <= UINT_MAX / 16 ); + + if ( *(p+1) == '#' && *(p+2) ) { +- unsigned long ucs = 0; ++ uint32_t ucs = 0; + TIXMLASSERT( sizeof( ucs ) >= 4 ); + ptrdiff_t delta = 0; +- unsigned mult = 1; ++ uint32_t mult = 1; + static const char SEMICOLON = ';'; + + if ( *(p+2) == 'x' ) { +@@ -497,7 +498,7 @@ + --q; + + while ( *q != 'x' ) { +- unsigned int digit = 0; ++ uint32_t digit = 0; + + if ( *q >= '0' && *q <= '9' ) { + digit = *q - '0'; +@@ -512,11 +513,11 @@ + return 0; + } + TIXMLASSERT( digit < 16 ); +- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); +- const unsigned int digitScaled = mult * digit; +- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); ++ const uint32_t digitScaled = mult * digit; + ucs += digitScaled; +- TIXMLASSERT( mult <= UINT_MAX / 16 ); + if (ucs > MAX_CODE_POINT) { + return 0; + } -+ - mult *= 16; - --q; - } -@@ -540,22 +541,23 @@ const char* XMLUtil::GetCharacterRef( co - - while ( *q != '#' ) { - if ( *q >= '0' && *q <= '9' ) { -- const unsigned int digit = *q - '0'; -+ const uint32_t digit = *q - '0'; - TIXMLASSERT( digit < 10 ); -- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); -- const unsigned int digitScaled = mult * digit; -- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); -+ const uint32_t digitScaled = mult * digit; - ucs += digitScaled; -+ if (ucs > MAX_CODE_POINT) { -+ return 0; -+ } - } - else { - return 0; - } -- TIXMLASSERT( mult <= UINT_MAX / 10 ); - mult *= 10; - --q; - } - } - // convert the UCS to UTF-8 + mult *= 16; + --q; + } +@@ -540,22 +541,23 @@ + + while ( *q != '#' ) { + if ( *q >= '0' && *q <= '9' ) { +- const unsigned int digit = *q - '0'; ++ const uint32_t digit = *q - '0'; + TIXMLASSERT( digit < 10 ); +- TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); +- const unsigned int digitScaled = mult * digit; +- TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); ++ const uint32_t digitScaled = mult * digit; + ucs += digitScaled; ++ if (ucs > MAX_CODE_POINT) { ++ return 0; ++ } + } + else { + return 0; + } +- TIXMLASSERT( mult <= UINT_MAX / 10 ); + mult *= 10; + --q; + } + } + // convert the UCS to UTF-8 + TIXMLASSERT(ucs <= MAX_CODE_POINT); - ConvertUTF32ToUTF8( ucs, value, length ); - return p + delta + 1; - } + ConvertUTF32ToUTF8( ucs, value, length ); + return p + delta + 1; + }