• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 1d4f5d24ac3976012ab1f5b811385e7b00caaecf Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 13 Sep 2022 16:40:31 +0200
4Subject: [PATCH] schemas: Fix null-pointer-deref in
5 xmlSchemaCheckCOSSTDerivedOK
6
7Found by OSS-Fuzz.
8
9Reference:https://github.com/GNOME/libxml2/commit/1d4f5d24ac3976012ab1f5b811385e7b00caaecf
10Conflict:NA
11
12---
13 result/schemas/oss-fuzz-51295_0_0.err |  2 ++
14 test/schemas/oss-fuzz-51295_0.xml     |  1 +
15 test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
16 xmlschemas.c                          | 15 +++++++++++++--
17 4 files changed, 20 insertions(+), 2 deletions(-)
18 create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
19 create mode 100644 test/schemas/oss-fuzz-51295_0.xml
20 create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
21
22diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
23new file mode 100644
24index 00000000..1e89524f
25--- /dev/null
26+++ b/result/schemas/oss-fuzz-51295_0_0.err
27@@ -0,0 +1,2 @@
28+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
29+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
30diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
31new file mode 100644
32index 00000000..10a7e703
33--- /dev/null
34+++ b/test/schemas/oss-fuzz-51295_0.xml
35@@ -0,0 +1 @@
36+<e/>
37diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
38new file mode 100644
39index 00000000..fde96af5
40--- /dev/null
41+++ b/test/schemas/oss-fuzz-51295_0.xsd
42@@ -0,0 +1,4 @@
43+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
44+    <xs:element name="e" substitutionGroup="e"/>
45+    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
46+</xs:schema>
47diff --git a/xmlschemas.c b/xmlschemas.c
48index ade10f78..de6ea2b0 100644
49--- a/xmlschemas.c
50+++ b/xmlschemas.c
51@@ -13348,8 +13348,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
52 	    * declaration `resolved` to by the `actual value`
53 	    * of the substitutionGroup [attribute], if present"
54 	    */
55-	    if (elemDecl->subtypes == NULL)
56-		elemDecl->subtypes = substHead->subtypes;
57+	    if (elemDecl->subtypes == NULL) {
58+                if (substHead->subtypes == NULL) {
59+                    /*
60+                     * This can happen with self-referencing substitution
61+                     * groups. The cycle will be detected later, but we have
62+                     * to set subtypes to avoid null-pointer dereferences.
63+                     */
64+	            elemDecl->subtypes = xmlSchemaGetBuiltInType(
65+                            XML_SCHEMAS_ANYTYPE);
66+                } else {
67+		    elemDecl->subtypes = substHead->subtypes;
68+                }
69+            }
70 	}
71     }
72     /*
73--
742.27.0
75
76