In stamp always advance the pointer if *p= 0xef
The current implementation only advanced if 0xef is followed
by two non-zero bytes. In case of malformed input (0xef should be
the start byte of a three byte character) this leads to an infinite
loop. (CVE-2021-42260)
Issue: FP3-A11#414
Change-Id: Iacb92be1ebf4488fef4ad07cc98ed9d16c118989
Upstream: https://sourceforge.net/u/cvoegl/tinyxml/ci/f7ca0035d17a663f55668e662b840afce7b86112
(cherry picked from commit f7ca0035d17a663f55668e662b840afce7b86112)
diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
index 9a77ebc..cfe4eb2 100644
--- a/tinyxmlparser.cpp
+++ b/tinyxmlparser.cpp
@@ -273,6 +273,12 @@
else
{ p +=3; ++col; } // A normal character.
}
+ else
+ {
+ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
+ // there is something wrong here. Just advance the pointer to evade infinite loops
+ ++p;
+ }
}
else
{