Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
libxml2.32556
libxml2-CVE-2023-28484-2.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libxml2-CVE-2023-28484-2.patch of Package libxml2.32556
From 4c6922f763ad958c48ff66f82823ae21f2e92ee6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnhofer@aevum.de> Date: Tue, 13 Sep 2022 16:40:31 +0200 Subject: [PATCH] schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK Found by OSS-Fuzz. --- result/schemas/oss-fuzz-51295_0_0.err | 2 ++ test/schemas/oss-fuzz-51295_0.xml | 1 + test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ xmlschemas.c | 15 +++++++++++++-- 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 result/schemas/oss-fuzz-51295_0_0.err create mode 100644 test/schemas/oss-fuzz-51295_0.xml create mode 100644 test/schemas/oss-fuzz-51295_0.xsd diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err new file mode 100644 index 00000000..1e89524f --- /dev/null +++ b/result/schemas/oss-fuzz-51295_0_0.err @@ -0,0 +1,2 @@ +./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. +./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml new file mode 100644 index 00000000..10a7e703 --- /dev/null +++ b/test/schemas/oss-fuzz-51295_0.xml @@ -0,0 +1 @@ +<e/> diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd new file mode 100644 index 00000000..fde96af5 --- /dev/null +++ b/test/schemas/oss-fuzz-51295_0.xsd @@ -0,0 +1,4 @@ +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <xs:element name="e" substitutionGroup="e"/> + <xs:element name="t" substitutionGroup="e" type='xs:decimal'/> +</xs:schema> diff --git a/xmlschemas.c b/xmlschemas.c index f31d3d1f..152b7c3f 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -13345,8 +13345,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, * declaration `resolved` to by the `actual value` * of the substitutionGroup [attribute], if present" */ - if (elemDecl->subtypes == NULL) - elemDecl->subtypes = substHead->subtypes; + if (elemDecl->subtypes == NULL) { + if (substHead->subtypes == NULL) { + /* + * This can happen with self-referencing substitution + * groups. The cycle will be detected later, but we have + * to set subtypes to avoid null-pointer dereferences. + */ + elemDecl->subtypes = xmlSchemaGetBuiltInType( + XML_SCHEMAS_ANYTYPE); + } else { + elemDecl->subtypes = substHead->subtypes; + } + } } } /* -- GitLab
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
