In stamp always advance the pointer if *p= 0xef The current implementation only advanced if 0xef is followed by two non-zero bytes. In case of malformed input (0xef should be the start byte of a three byte character) this leads to an infinite loop. (CVE-2021-42260) Issue: FP3-A11#414 Change-Id: Iacb92be1ebf4488fef4ad07cc98ed9d16c118989 Upstream: https://sourceforge.net/u/cvoegl/tinyxml/ci/f7ca0035d17a663f55668e662b840afce7b86112 (cherry picked from commit f7ca0035d17a663f55668e662b840afce7b86112)

commit: a9fb107278a61630e324cff2352475b7a91bf78b [log] [tgz]
author: Christian Voegl <cvoegl@suse.com> Wed Oct 27 11:25:18 2021 +0200
committer: Karsten Tausche <karsten@fairphone.com> Thu Oct 06 15:28:43 2022 +0200
tree: 63edb5a4fa76aa82d246ae365f2963306e9cb134
parent: 7278db900043c3a17bc59e840bc9a6f0481afc2a [diff]
diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
index 9a77ebc..cfe4eb2 100644
--- a/tinyxmlparser.cpp
+++ b/tinyxmlparser.cpp

@@ -273,6 +273,12 @@
 						else
 							{ p +=3; ++col; }	// A normal character.
 					}
+					else
+					{
+						// TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so
+						// there is something wrong here. Just advance the pointer to evade infinite loops
+						++p;
+					}
 				}
 				else
 				{
commit	a9fb107278a61630e324cff2352475b7a91bf78b	[log] [tgz]
author	Christian Voegl <cvoegl@suse.com>	Wed Oct 27 11:25:18 2021 +0200
committer	Karsten Tausche <karsten@fairphone.com>	Thu Oct 06 15:28:43 2022 +0200
tree	63edb5a4fa76aa82d246ae365f2963306e9cb134
parent	7278db900043c3a17bc59e840bc9a6f0481afc2a [diff]