Schematron: Fix null pointer dereference leading to DoS

(CVE-2025-49795) Fixes #932
2026-01-26 21:41:34 +03:00 · 2025-06-21 12:11:30 -04:00
parent 069bcda17d
commit 499bcb78ab
4 changed files with 15 additions and 0 deletions
--- a/result/schematron/zvon16_0.err
+++ b/result/schematron/zvon16_0.err
@@ -0,0 +1 @@
+xmlSchematronParse: could not load './test/schematron/zvon16.sct'
--- a/schematron.c
+++ b/schematron.c
@@ -1453,6 +1453,8 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
            select = xmlGetNoNsProp(child, BAD_CAST "select");
            comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
            eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
+            if (eval == NULL)
+                return ret;

            switch (eval->type) {
            case XPATH_NODESET: {
--- a/test/schematron/zvon16.sct
+++ b/test/schematron/zvon16.sct
@@ -0,0 +1,7 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron"
+	<sch:pattern id="TestPattern">
+		<sch:rule context="book">
+			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
+		</sch:rule>
+	</sch:pattern>
+</sch:schema>
--- a/test/schematron/zvon16_0.xml
+++ b/test/schematron/zvon16_0.xml
@@ -0,0 +1,5 @@
+<library>
+	<book title="Test Book" id="bk101">
+		<author>Test Author</author>
+	</book>
+</library>
				`@@ -0,0 +1 @@`
				`xmlSchematronParse: could not load './test/schematron/zvon16.sct'`