1Description: In stamp always advance the pointer if *p= 0xef 2 . 3 The current implementation only advanced if 0xef is followed 4 by two non-zero bytes. In case of malformed input (0xef should be 5 the start byte of a three byte character) this leads to an infinite 6 loop. (CVE-2021-42260) 7Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ 8 9CVE: CVE-2021-42260 10Upstream-Status: Inactive-Upstream [lastrelease: 2011] 11Signed-off-by: Peter Marko <peter.marko@siemens.com> 12 13--- a/tinyxmlparser.cpp 14+++ b/tinyxmlparser.cpp 15@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding ) 16 else 17 { p +=3; ++col; } // A normal character. 18 } 19+ else 20+ { 21+ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so 22+ // there is something wrong here. Just advance the pointer to evade infinite loops 23+ ++p; 24+ } 25 } 26 else 27 { 28