[MEDIUM] Patch tinyxml2 for CVE-2024-50615 (#13429)

archana25-ms · web-flow · commit 725438e02be6 · 2025-04-28T23:59:10.000+05:30
diff --git a/SPECS/tinyxml2/CVE-2024-50615.patch b/SPECS/tinyxml2/CVE-2024-50615.patch
@@ -0,0 +1,231 @@
+From 5be6d48c41d636826984605448dc8d4516f2b8ac Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Wed, 16 Apr 2025 07:10:31 +0000
+Subject: [PATCH] Address CVE-2024-50615
+Upstream Patch Reference : 
+1. https://github.com/leethomason/tinyxml2/commit/494735de30c946bc7d684c65ff8ece05beeb232d
+2. https://github.com/leethomason/tinyxml2/commit/4cbb25155cde261ccf868efb8ae29ad0eebea4d1
+
+---
+ tinyxml2.cpp | 129 +++++++++++++++++++++++----------------------------
+ xmltest.cpp  |  31 ++++++++++++-
+ 2 files changed, 89 insertions(+), 71 deletions(-)
+
+diff --git a/tinyxml2.cpp b/tinyxml2.cpp
+index 9173467..b12112e 100755
+--- a/tinyxml2.cpp
++++ b/tinyxml2.cpp
+@@ -467,102 +467,91 @@ void XMLUtil::ConvertUTF32ToUTF8( unsigned long input, char* output, int* length
+ }
+ 
+ 
+-const char* XMLUtil::GetCharacterRef( const char* p, char* value, int* length )
++const char* XMLUtil::GetCharacterRef(const char* p, char* value, int* length)
+ {
+-    // Presume an entity, and pull it out.
++    // Assume an entity, and pull it out.
+     *length = 0;
+ 
++    static const uint32_t MAX_CODE_POINT = 0x10FFFF;
++
+     if ( *(p+1) == '#' && *(p+2) ) {
+-        unsigned long ucs = 0;
+-        TIXMLASSERT( sizeof( ucs ) >= 4 );
++        uint32_t ucs = 0;
+         ptrdiff_t delta = 0;
+-        unsigned mult = 1;
++        uint32_t mult = 1;
+         static const char SEMICOLON = ';';
+ 
+-        if ( *(p+2) == 'x' ) {
++        bool hex = false;
++        uint32_t radix = 10;
++        const char* q = 0;
++        char terminator = '#';
++
++        if (*(p + 2) == 'x') {
+             // Hexadecimal.
+-            const char* q = p+3;
+-            if ( !(*q) ) {
+-                return 0;
+-            }
++            hex = true;
++            radix = 16;
++            terminator = 'x';
+ 
+-            q = strchr( q, SEMICOLON );
++            q = p + 3;
++            q = p + 3;
++        }
++        else {
++            // Decimal.
++            q = p + 2;
++        }
++        if (!(*q)) {
++            return 0;
++        }
+ 
+-            if ( !q ) {
+-                return 0;
+-            }
+-            TIXMLASSERT( *q == SEMICOLON );
+ 
+-            delta = q-p;
+-            --q;
++        q = strchr(q, SEMICOLON);
++        if (!q) {
++            return 0;
++        }
++        TIXMLASSERT(*q == SEMICOLON);
++        delta = q - p;
++        --q;
+ 
+-            while ( *q != 'x' ) {
+-                unsigned int digit = 0;
++        while (*q != terminator) {
++            uint32_t digit = 0;
+ 
+-                if ( *q >= '0' && *q <= '9' ) {
+-                    digit = *q - '0';
+-                }
+-                else if ( *q >= 'a' && *q <= 'f' ) {
+-                    digit = *q - 'a' + 10;
+-                }
+-                else if ( *q >= 'A' && *q <= 'F' ) {
+-                    digit = *q - 'A' + 10;
+-                }
+-                else {
+-                    return 0;
+-                }
+-                TIXMLASSERT( digit < 16 );
+-                TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
+-                const unsigned int digitScaled = mult * digit;
+-                TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
+-                ucs += digitScaled;
+-                TIXMLASSERT( mult <= UINT_MAX / 16 );
+-                mult *= 16;
+-                --q;
++            if (*q >= '0' && *q <= '9') {
++                digit = *q - '0';
+             }
+-        }
+-        else {
+-            // Decimal.
+-            const char* q = p+2;
+-            if ( !(*q) ) {
+-                return 0;
++            else if (hex && (*q >= 'a' && *q <= 'f')) {
++                digit = *q - 'a' + 10;
+             }
+-
+-            q = strchr( q, SEMICOLON );
+-
+-            if ( !q ) {
++            else if (hex && (*q >= 'A' && *q <= 'F')) {
++                digit = *q - 'A' + 10;
++            }
++            else {
+                 return 0;
+             }
+-            TIXMLASSERT( *q == SEMICOLON );
++            TIXMLASSERT(digit < radix);
+ 
+-            delta = q-p;
+-            --q;
++            const unsigned int digitScaled = mult * digit;
++            ucs += digitScaled;
++            mult *= radix;       
+ 
+-            while ( *q != '#' ) {
+-                if ( *q >= '0' && *q <= '9' ) {
+-                    const unsigned int digit = *q - '0';
+-                    TIXMLASSERT( digit < 10 );
+-                    TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
+-                    const unsigned int digitScaled = mult * digit;
+-                    TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
+-                    ucs += digitScaled;
+-                }
+-                else {
+-                    return 0;
+-                }
+-                TIXMLASSERT( mult <= UINT_MAX / 10 );
+-                mult *= 10;
+-                --q;
++            // Security check: could a value exist that is out of range?
++            // Easily; limit to the MAX_CODE_POINT, which also allows for a
++            // bunch of leading zeroes.
++            if (mult > MAX_CODE_POINT) {
++                mult = MAX_CODE_POINT;
+             }
++            --q;
++        }
++        // Out of range:
++        if (ucs > MAX_CODE_POINT) {
++            return 0;
+         }
+         // convert the UCS to UTF-8
+-        ConvertUTF32ToUTF8( ucs, value, length );
++		TIXMLASSERT(ucs <= MAX_CODE_POINT);
++        ConvertUTF32ToUTF8(ucs, value, length);
+         return p + delta + 1;
+     }
+-    return p+1;
++    return p + 1;
+ }
+ 
+-
+ void XMLUtil::ToStr( int v, char* buffer, int bufferSize )
+ {
+     TIXML_SNPRINTF( buffer, bufferSize, "%d", v );
+diff --git a/xmltest.cpp b/xmltest.cpp
+index d5a1ce3..50afcbd 100755
+--- a/xmltest.cpp
++++ b/xmltest.cpp
+@@ -1642,7 +1642,7 @@ int main( int argc, const char ** argv )
+ 
+ 		static const char* result  = "\xef\xbb\xbf<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
+ 		XMLTest( "BOM and default declaration", result, printer.CStr(), false );
+-		XMLTest( "CStrSize", 42, printer.CStrSize(), false );
++		XMLTest( "CStrSize", true, printer.CStrSize() == 42, false );
+ 	}
+ 	{
+ 		const char* xml = "<ipxml ws='1'><info bla=' /></ipxml>";
+@@ -2488,6 +2488,35 @@ int main( int argc, const char ** argv )
+     	doc.PrintError();
+     }
+ 
++	// ---------- CVE-2024-50615 -----------
++ 	{
++ 		const char* xml = "<Hello value='12&#65;34' value2='56&#x42;78'>Text</Hello>";
++ 		XMLDocument doc;
++ 		doc.Parse(xml);
++ 		const char* value = doc.FirstChildElement()->Attribute("value");
++ 		const char* value2 = doc.FirstChildElement()->Attribute("value2");
++ 		XMLTest("Test attribute encode", false, doc.Error());
++ 		XMLTest("Test decimal value", value, "12A34");
++ 		XMLTest("Test hex encode", value2, "56B78");
++ 	}
++
++ 	{
++ 		const char* xml = "<Hello value='&#ABC9000000065;' value2='&#xffffffff;' value3='&#5000000000;' value4='&#x00000045;' value5='&#x000000000000000021;'>Text</Hello>";
++ 		XMLDocument doc;
++ 		doc.Parse(xml);
++ 		const char* value = doc.FirstChildElement()->Attribute("value");
++ 		const char* value2 = doc.FirstChildElement()->Attribute("value2");
++ 		const char* value3 = doc.FirstChildElement()->Attribute("value3");
++ 		const char* value4 = doc.FirstChildElement()->Attribute("value4");
++ 		const char* value5 = doc.FirstChildElement()->Attribute("value5");
++ 		XMLTest("Test attribute encode", false, doc.Error());
++ 		XMLTest("Test attribute encode too long value", value, "&#ABC9000000065;"); // test long value
++ 		XMLTest("Test attribute encode out of unicode range", value2, "&#xffffffff;"); // out of unicode range
++ 		XMLTest("Test attribute encode out of int max value", value3, "&#5000000000;"); // out of int max value
++ 		XMLTest("Test attribute encode with a Hex value", value4, "E"); // hex value in unicode value
++ 		XMLTest("Test attribute encode with a Hex value", value5, "!"); // hex value in unicode value
++ 	}
++
+     // ----------- Performance tracking --------------
+ 	{
+ #if defined( _MSC_VER )
+-- 
+2.45.3
+
diff --git a/SPECS/tinyxml2/tinyxml2.spec b/SPECS/tinyxml2/tinyxml2.spec
@@ -1,12 +1,14 @@
 Summary:        Simple, small, efficient, C++ XML parser that can be easily integrated into other programs.
 Name:           tinyxml2
 Version:        9.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        zlib
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/leethomason/tinyxml2/
 Source0:        https://github.com/leethomason/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# CVE-2024-50614 fixed along with CVE-2024-50615
+Patch1:         CVE-2024-50615.patch
 BuildRequires:  build-essential
 BuildRequires:  cmake
 
@@ -22,6 +24,8 @@ Development files for %{name}
 
 %prep
 %setup -q
+sed -i 's/\r$//' *.cpp
+%autopatch -p1
 
 %build
 mkdir build
@@ -48,6 +52,9 @@ make install DESTDIR=%{buildroot}
 %{_lib64dir}/pkgconfig/tinyxml2.pc
 
 %changelog
+* Wed Apr 16 2025 Archana Shettigar <v-shettigara@microsoft.com> - 9.0.0-2
+- Patch for CVE-2024-50615.
+
 * Wed Jan 05 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 9.0.0-1
 - Update to version 9.0.0.
 
