diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-04-07 11:46:35 +0200 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-04-11 13:13:42 +0200 |
| commit | 647e072ea0a2f12687fa05c172f4c4713fdb0c4f (patch) | |
| tree | 30d8f1f871718ffb74ccb4b8ad060e38970dcbda | |
| parent | 2a1ecb18029532bfb608594e2a80f05c6488edb6 (diff) | |
| download | libxml2-647e072ea0a2f12687fa05c172f4c4713fdb0c4f.tar.gz | |
[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
Fix a null pointer dereference when parsing (invalid) XML schemas.
Thanks to Robby Simpson for the report!
Fixes #491.
| -rw-r--r-- | result/schemas/issue491_0_0.err | 1 | ||||
| -rw-r--r-- | test/schemas/issue491_0.xml | 1 | ||||
| -rw-r--r-- | test/schemas/issue491_0.xsd | 18 | ||||
| -rw-r--r-- | xmlschemas.c | 2 |
4 files changed, 21 insertions, 1 deletions
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err new file mode 100644 index 00000000..9b2bb969 --- /dev/null +++ b/result/schemas/issue491_0_0.err @@ -0,0 +1 @@ +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml new file mode 100644 index 00000000..e2b2fc2e --- /dev/null +++ b/test/schemas/issue491_0.xml @@ -0,0 +1 @@ +<Child xmlns="http://www.test.com">5</Child> diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd new file mode 100644 index 00000000..81702649 --- /dev/null +++ b/test/schemas/issue491_0.xsd @@ -0,0 +1,18 @@ +<?xml version='1.0' encoding='UTF-8'?> +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified"> + <xs:complexType name="BaseType"> + <xs:simpleContent> + <xs:extension base="xs:int" /> + </xs:simpleContent> + </xs:complexType> + <xs:complexType name="ChildType"> + <xs:complexContent> + <xs:extension base="BaseType"> + <xs:sequence> + <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:element name="Child" type="ChildType" /> +</xs:schema> diff --git a/xmlschemas.c b/xmlschemas.c index 152b7c3f..eec24a95 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, "allowed to appear inside other model groups", NULL, NULL); - } else if (! dummySequence) { + } else if ((!dummySequence) && (baseType->subtypes != NULL)) { xmlSchemaTreeItemPtr effectiveContent = (xmlSchemaTreeItemPtr) type->subtypes; /* |