From 04bbc06cd0d1fbbcebd91a8cd376a0d3c5b3cb27 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 14 Aug 2024 15:19:05 +0200
Subject: [PATCH] Make DocPrinter support DynArrays larger than 2G

If the DynArray within an XMLPrinter object carries 2 gigabytes of
data or more, XMLPrinter::CStrSize returns a truncated result. If a
program casts this back to size_t without thought, sign extension
leads to bad things(tm).

```c++
int main()
{
	tinyxml2::XMLDocument doc;
	doc.InsertEndChild(doc.NewDeclaration());
	auto root = doc.NewElement("root");
	size_t sz = 0x80000002;
	auto blank = new char[sz];
	memset(blank, ' ', sz);
	blank[sz-1]='\0';
	root->SetText(blank);
	doc.InsertEndChild(root);
	tinyxml2::XMLPrinter printer(nullptr);
	doc.Print(&printer);
	std::string_view sv{printer.CStr(), static_cast<size_t>(printer.CStrSize())};
	// sv.size() is way too big, causing overflows on access
	std::string dup(sv); // boom
}
```

Fixes: 2.0.2-873-geb3ab0d
---
 tinyxml2.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tinyxml2.h b/tinyxml2.h
index d5a3afd8..cdd68805 100644
--- a/tinyxml2.h
+++ b/tinyxml2.h
@@ -2314,7 +2314,7 @@ class TINYXML2_LIB XMLPrinter : public XMLVisitor
     	of the XML file in memory. (Note the size returned
     	includes the terminating null.)
     */
-    int CStrSize() const {
+    size_t CStrSize() const {
         return _buffer.Size();
     }
     /**