From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Fri, 7 Apr 2023 11:46:35 +0200 Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491. Reference:https://github.com/GNOME/libxml2/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Conflict:NA --- result/schemas/issue491_0_0.err | 1 + test/schemas/issue491_0.xml | 1 + test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ xmlschemas.c | 2 +- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 result/schemas/issue491_0_0.err create mode 100644 test/schemas/issue491_0.xml create mode 100644 test/schemas/issue491_0.xsd diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err new file mode 100644 index 0000000..9b2bb96 --- /dev/null +++ b/result/schemas/issue491_0_0.err @@ -0,0 +1 @@ +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml new file mode 100644 index 0000000..e2b2fc2 --- /dev/null +++ b/test/schemas/issue491_0.xml @@ -0,0 +1 @@ +5 diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd new file mode 100644 index 0000000..8170264 --- /dev/null +++ b/test/schemas/issue491_0.xsd @@ -0,0 +1,18 @@ + + + + + + + + + + + + + + + + + + diff --git a/xmlschemas.c b/xmlschemas.c index 4dbee37..7199d23 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -18640,7 +18640,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, "allowed to appear inside other model groups", NULL, NULL); - } else if (! dummySequence) { + } else if ((!dummySequence) && (baseType->subtypes != NULL)) { xmlSchemaTreeItemPtr effectiveContent = (xmlSchemaTreeItemPtr) type->subtypes; /* -- 2.27.0