From 40851d0c5975a8fde9498f72f3f5d96ad3194dc5 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 17 Aug 2012 20:34:05 +0800
Subject: [PATCH] Fix a segfault on XSD validation on pattern error

As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):

<xs:pattern value="(.*)|"/>

Fix a cascade of error handling failures which led to the
crash in that scenario.
---
 xmlregexp.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/xmlregexp.c b/xmlregexp.c
index 8a8be983..b9527085 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -3202,7 +3202,7 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
         memset(exec->counts, 0, comp->nbCounters * sizeof(int));
     } else
 	exec->counts = NULL;
-    while ((exec->status == 0) &&
+    while ((exec->status == 0) && (exec->state != NULL) &&
 	   ((exec->inputString[exec->index] != 0) ||
 	    ((exec->state != NULL) &&
 	     (exec->state->type != XML_REGEXP_FINAL_STATE)))) {
@@ -3456,6 +3456,8 @@ error:
 	}
 	xmlFree(exec->rollbacks);
     }
+    if (exec->state == NULL)
+        return(-1);
     if (exec->counts != NULL)
 	xmlFree(exec->counts);
     if (exec->status == 0)
@@ -5373,6 +5375,10 @@ xmlFAParseRegExp(xmlRegParserCtxtPtr ctxt, int top) {
     end = ctxt->state;
     while ((CUR == '|') && (ctxt->error == 0)) {
 	NEXT;
+	if (CUR == 0) {
+	    ERROR("expecting a branch after |")
+	    return;
+	}
 	ctxt->state = start;
 	ctxt->end = NULL;
 	xmlFAParseBranch(ctxt, end);