Import fix for CVE-2021-42260.
Felix Geyer
2 years ago
|
0 |
tinyxml (2.6.2-6) UNRELEASED; urgency=medium
|
|
1 |
|
|
2 |
* Import fix for CVE-2021-42260.
|
|
3 |
- Add CVE-2021-42260.patch
|
|
4 |
|
|
5 |
-- Felix Geyer <fgeyer@debian.org> Sun, 12 Dec 2021 23:49:05 +0100
|
|
6 |
|
0 | 7 |
tinyxml (2.6.2-5) unstable; urgency=medium
|
1 | 8 |
|
2 | 9 |
[ Felix Geyer ]
|
|
0 |
Description: In stamp always advance the pointer if *p= 0xef
|
|
1 |
.
|
|
2 |
The current implementation only advanced if 0xef is followed
|
|
3 |
by two non-zero bytes. In case of malformed input (0xef should be
|
|
4 |
the start byte of a three byte character) this leads to an infinite
|
|
5 |
loop. (CVE-2021-42260)
|
|
6 |
Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
|
|
7 |
|
|
8 |
--- a/tinyxmlparser.cpp
|
|
9 |
+++ b/tinyxmlparser.cpp
|
|
10 |
@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding )
|
|
11 |
else
|
|
12 |
{ p +=3; ++col; } // A normal character.
|
|
13 |
}
|
|
14 |
+ else
|
|
15 |
+ {
|
|
16 |
+ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
|
|
17 |
+ // there is something wrong here. Just advance the pointer to evade infinite loops
|
|
18 |
+ ++p;
|
|
19 |
+ }
|
|
20 |
}
|
|
21 |
else
|
|
22 |
{
|
0 | 0 |
enforce-use-stl.patch
|
1 | 1 |
entity-encoding.patch
|
|
2 |
CVE-2021-42260.patch
|