[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType

Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491.
GNOME · Apr 11, 2023 · 647e072 · 647e072
1 parent 2a1ecb1
commit 647e072
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+  <xs:complexType name="BaseType">
+    <xs:simpleContent>
+      <xs:extension base="xs:int" />
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:complexType name="ChildType">
+    <xs:complexContent>
+      <xs:extension base="BaseType">
+        <xs:sequence>
+          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <xs:element name="Child" type="ChildType" />
+</xs:schema>
diff --git a/xmlschemas.c b/xmlschemas.c
@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
 			"allowed to appear inside other model groups",
 			NULL, NULL);
 
-		} else if (! dummySequence) {
+		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
 		    xmlSchemaTreeItemPtr effectiveContent =
 			(xmlSchemaTreeItemPtr) type->subtypes;
 		    /*