fix CVE-2023-34194

(cherry picked from commit f9f087fea40f146a0d5b23f2ad63a30eb5848443)

CVE-2023-34194.patch

@@ -0,0 +1,28 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462
+---
+ tinyxmlparser.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm
+ 		}
+ 
+ 		p = SkipWhiteSpace( p, _encoding );
++		if ( !p || !*p )
++		{
++			break;
++		}
+ 		if ( StringEqual( p, "version", true, _encoding ) )
+ 		{
+ 			TiXmlAttribute attrib;

tinyxml.spec

@@ -1,12 +1,13 @@
 Name:           tinyxml
 Version:        2.6.2
-Release:        23
+Release:        24
 Summary:        C++ XML parser
 License:        zlib
 URL:            http://www.grinninglizard.com/tinyxml/
 Source0:        http://downloads.sourceforge.net/tinyxml/tinyxml_2_6_2.tar.gz
 Patch0001:      CVE-2021-42260.patch
 Patch0002:      2-fix-devel-package-error.patch
+Patch0003:      CVE-2023-34194.patch
 BuildRequires:  gcc-c++
 
 %description
@@ -65,6 +66,9 @@ mkdir -p %{buildroot}%{_libdir}/pkgconfig
 %{_libdir}/*.so
 
 %changelog
+* Tue Dec 24 2024 Jianmin <jianmin@iscas.ac.cn> - 2.6.2-24
+- fix CVE-2023-34194
+
 * Fri Apr 28 2023 will_niutao <huawei2@huawei.com> - 2.6.2-23
 - fix the devel package error