From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Fri, 7 Apr 2023 11:46:35 +0200 Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491. --- result/schemas/issue491_0_0.err | 1 + test/schemas/issue491_0.xml | 1 + test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ xmlschemas.c | 2 +- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 result/schemas/issue491_0_0.err create mode 100644 test/schemas/issue491_0.xml create mode 100644 test/schemas/issue491_0.xsd diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err new file mode 100644 index 00000000..9b2bb969 --- /dev/null +++ b/result/schemas/issue491_0_0.err @@ -0,0 +1 @@ +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml new file mode 100644 index 00000000..e2b2fc2e --- /dev/null +++ b/test/schemas/issue491_0.xml @@ -0,0 +1 @@ +5 diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd new file mode 100644 index 00000000..81702649 --- /dev/null +++ b/test/schemas/issue491_0.xsd @@ -0,0 +1,18 @@ + + + + + + + + + + + + + + + + + + diff --git a/xmlschemas.c b/xmlschemas.c index 152b7c3f..eec24a95 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, "allowed to appear inside other model groups", NULL, NULL); - } else if (! dummySequence) { + } else if ((!dummySequence) && (baseType->subtypes != NULL)) { xmlSchemaTreeItemPtr effectiveContent = (xmlSchemaTreeItemPtr) type->subtypes; /* -- GitLab