• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 7 Apr 2023 11:46:35 +0200
4Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
5
6Fix a null pointer dereference when parsing (invalid) XML schemas.
7
8Thanks to Robby Simpson for the report!
9
10Fixes #491.
11
12Reference:https://github.com/GNOME/libxml2/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68
13Conflict:NA
14
15---
16 result/schemas/issue491_0_0.err |  1 +
17 test/schemas/issue491_0.xml     |  1 +
18 test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
19 xmlschemas.c                    |  2 +-
20 4 files changed, 21 insertions(+), 1 deletion(-)
21 create mode 100644 result/schemas/issue491_0_0.err
22 create mode 100644 test/schemas/issue491_0.xml
23 create mode 100644 test/schemas/issue491_0.xsd
24
25diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
26new file mode 100644
27index 0000000..9b2bb96
28--- /dev/null
29+++ b/result/schemas/issue491_0_0.err
30@@ -0,0 +1 @@
31+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
32diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
33new file mode 100644
34index 0000000..e2b2fc2
35--- /dev/null
36+++ b/test/schemas/issue491_0.xml
37@@ -0,0 +1 @@
38+<Child xmlns="http://www.test.com">5</Child>
39diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
40new file mode 100644
41index 0000000..8170264
42--- /dev/null
43+++ b/test/schemas/issue491_0.xsd
44@@ -0,0 +1,18 @@
45+<?xml version='1.0' encoding='UTF-8'?>
46+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
47+  <xs:complexType name="BaseType">
48+    <xs:simpleContent>
49+      <xs:extension base="xs:int" />
50+    </xs:simpleContent>
51+  </xs:complexType>
52+  <xs:complexType name="ChildType">
53+    <xs:complexContent>
54+      <xs:extension base="BaseType">
55+        <xs:sequence>
56+          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
57+        </xs:sequence>
58+      </xs:extension>
59+    </xs:complexContent>
60+  </xs:complexType>
61+  <xs:element name="Child" type="ChildType" />
62+</xs:schema>
63diff --git a/xmlschemas.c b/xmlschemas.c
64index 4dbee37..7199d23 100644
65--- a/xmlschemas.c
66+++ b/xmlschemas.c
67@@ -18640,7 +18640,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
68 			"allowed to appear inside other model groups",
69 			NULL, NULL);
70
71-		} else if (! dummySequence) {
72+		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
73 		    xmlSchemaTreeItemPtr effectiveContent =
74 			(xmlSchemaTreeItemPtr) type->subtypes;
75 		    /*
76--
772.27.0
78
79