-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reachable assertion 'mult <= UINT_MAX / 16' failed in tinyxml2::XMLUtil::GetCharacterRef #996
Comments
This got associated with CVE-2024-50614 |
It seems this issue cannot be reproduced with tinyxml2 version 6.0.0, does it? |
I just tested it and 6.0.0 isnt affected by this issue. |
Thanks! |
I've analyzed this a little :) The assertion is caused by parsing very long entities (
What triggers assertion (but only in debug build) to prevent int overflow (in my opinion). If you want to minimise the risk of this UB, you can set |
Hi, If the assertion is only triggered in debug mode, what happens when the code is compiled and running in non-debug mode ? If the crash is avoided in non debug mode, it seems that this could be a mitigation for the CVE, no ? |
Description
The latest version of tinyxml2 was discovered to contain a reachable assertion
mult <= UINT_MAX / 16' failed
vulnerability in tinyxml2.cpp:519 tinyxml2::XMLUtil::GetCharacterRef() when parsing a specially crafted XML file. This vulnerability leads to a Denial of Service (DoS).ASAN Log
Proof-of-Concept Files
poc
Reproduction
git clone https://github.com/leethomason/tinyxml2 cd tinyxml2 CC=clang CXX=clang++ meson setup build CC=clang CXX=clang++ sudo ninja -C build install ./build/xmltest poc
Results
Environment
The text was updated successfully, but these errors were encountered: