75 lines
2.7 KiB
Diff
75 lines
2.7 KiB
Diff
From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Fri, 7 Apr 2023 11:46:35 +0200
|
|
Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
|
|
|
|
Fix a null pointer dereference when parsing (invalid) XML schemas.
|
|
|
|
Thanks to Robby Simpson for the report!
|
|
|
|
Fixes #491.
|
|
---
|
|
result/schemas/issue491_0_0.err | 1 +
|
|
test/schemas/issue491_0.xml | 1 +
|
|
test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
|
|
xmlschemas.c | 2 +-
|
|
4 files changed, 21 insertions(+), 1 deletion(-)
|
|
create mode 100644 result/schemas/issue491_0_0.err
|
|
create mode 100644 test/schemas/issue491_0.xml
|
|
create mode 100644 test/schemas/issue491_0.xsd
|
|
|
|
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
|
|
new file mode 100644
|
|
index 00000000..9b2bb969
|
|
--- /dev/null
|
|
+++ b/result/schemas/issue491_0_0.err
|
|
@@ -0,0 +1 @@
|
|
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
|
|
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
|
|
new file mode 100644
|
|
index 00000000..e2b2fc2e
|
|
--- /dev/null
|
|
+++ b/test/schemas/issue491_0.xml
|
|
@@ -0,0 +1 @@
|
|
+<Child xmlns="http://www.test.com">5</Child>
|
|
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
|
|
new file mode 100644
|
|
index 00000000..81702649
|
|
--- /dev/null
|
|
+++ b/test/schemas/issue491_0.xsd
|
|
@@ -0,0 +1,18 @@
|
|
+<?xml version='1.0' encoding='UTF-8'?>
|
|
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
|
|
+ <xs:complexType name="BaseType">
|
|
+ <xs:simpleContent>
|
|
+ <xs:extension base="xs:int" />
|
|
+ </xs:simpleContent>
|
|
+ </xs:complexType>
|
|
+ <xs:complexType name="ChildType">
|
|
+ <xs:complexContent>
|
|
+ <xs:extension base="BaseType">
|
|
+ <xs:sequence>
|
|
+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
|
|
+ </xs:sequence>
|
|
+ </xs:extension>
|
|
+ </xs:complexContent>
|
|
+ </xs:complexType>
|
|
+ <xs:element name="Child" type="ChildType" />
|
|
+</xs:schema>
|
|
diff --git a/xmlschemas.c b/xmlschemas.c
|
|
index 152b7c3f..eec24a95 100644
|
|
--- a/xmlschemas.c
|
|
+++ b/xmlschemas.c
|
|
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
|
|
"allowed to appear inside other model groups",
|
|
NULL, NULL);
|
|
|
|
- } else if (! dummySequence) {
|
|
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
|
|
xmlSchemaTreeItemPtr effectiveContent =
|
|
(xmlSchemaTreeItemPtr) type->subtypes;
|
|
/*
|
|
--
|
|
GitLab
|
|
|