Security: Integer Overflow and Heap Buffer Overflow in DynArray::EnsureCapacity #1065
Description
Description:
I am developing a static analysis engine called Lumos, based on the Z3 theorem prover. It flagged a potential security vulnerability in tinyxml2.h.
Location:
In DynArray<T, INITIAL_SIZE>::EnsureCapacity(size_t cap) (around line 450-470).
The Problem:
The code calculates new allocation size as follows:
cpp
const size_t newAllocated = cap * 2;
The safety of this operation is only guarded by:
cpp
TIXMLASSERT( cap <= SIZE_MAX / 2 / sizeof(T));
Since TIXMLASSERT is removed in Release builds, there is no runtime protection. If cap is large enough (e.g., via a specially crafted XML), newAllocated will overflow, leading to:
A very small memory allocation.
A large memcpy operation into that small buffer:
memcpy( newMem, _mem, sizeof(T) * _size );
This results in a Heap Buffer Overflow.
Suggested Fix:
Add a runtime check that persists in release builds:
cpp
if (cap > SIZE_MAX / 2 / sizeof(T)) {
// Return error or handle gracefully
}