forked from pool/tinyxml2
53 lines
1.4 KiB
Diff
53 lines
1.4 KiB
Diff
From 04bbc06cd0d1fbbcebd91a8cd376a0d3c5b3cb27 Mon Sep 17 00:00:00 2001
|
|
From: Jan Engelhardt <jengelh@inai.de>
|
|
Date: Wed, 14 Aug 2024 15:19:05 +0200
|
|
Subject: [PATCH] Make DocPrinter support DynArrays larger than 2G
|
|
References: https://github.com/leethomason/tinyxml2/pull/993
|
|
|
|
If the DynArray within an XMLPrinter object carries 2 gigabytes of
|
|
data or more, XMLPrinter::CStrSize returns a truncated result. If a
|
|
program casts this back to size_t without thought, sign extension
|
|
leads to bad things(tm).
|
|
|
|
```c++
|
|
int main()
|
|
{
|
|
tinyxml2::XMLDocument doc;
|
|
doc.InsertEndChild(doc.NewDeclaration());
|
|
auto root = doc.NewElement("root");
|
|
size_t sz = 0x80000002;
|
|
auto blank = new char[sz];
|
|
memset(blank, ' ', sz);
|
|
blank[sz-1]='\0';
|
|
root->SetText(blank);
|
|
doc.InsertEndChild(root);
|
|
tinyxml2::XMLPrinter printer(nullptr);
|
|
doc.Print(&printer);
|
|
std::string_view sv{printer.CStr(), static_cast<size_t>(printer.CStrSize())};
|
|
// sv.size() is way too big, causing overflows on access
|
|
std::string dup(sv); // boom
|
|
}
|
|
```
|
|
|
|
Fixes: 2.0.2-873-geb3ab0d
|
|
---
|
|
tinyxml2.h | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/tinyxml2.h b/tinyxml2.h
|
|
index d5a3afd..cdd6880 100644
|
|
--- a/tinyxml2.h
|
|
+++ b/tinyxml2.h
|
|
@@ -2314,7 +2314,7 @@ public:
|
|
of the XML file in memory. (Note the size returned
|
|
includes the terminating null.)
|
|
*/
|
|
- int CStrSize() const {
|
|
+ size_t CStrSize() const {
|
|
return _buffer.Size();
|
|
}
|
|
/**
|
|
--
|
|
2.46.0
|
|
|