From 343763fb94fdc9544f25970a1f56bf336c4a12e6 Mon Sep 17 00:00:00 2001
From: gaosix <gaochao69@huawei.com>
Date: Wed, 30 Jul 2025 17:06:28 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E8=A1=A5=E4=B8=81=E5=9B=9E?=
 =?UTF-8?q?=E5=90=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: gaosix <gaochao69@huawei.com>
---
 BUILD.gn                                      |   1 +
 ...l-pointer-dereference-leading-to-DoS.patch | 108 ++++++++++++++++++
 install.py                                    |   3 +-
 3 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 Fix-CVE-2025-49795-null-pointer-dereference-leading-to-DoS.patch

diff --git a/BUILD.gn b/BUILD.gn
index ac98ca9..7954248 100755
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -73,6 +73,7 @@ action("libxml2_install_action") {
     "Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch",
     "Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch",
     "Fix-CVE-2025-49794-CVE-2025-49796-memory-safety-issues-in-xmlSchematronReportOutput.patch",
+    "Fix-CVE-2025-49795-null-pointer-dereference-leading-to-DoS.patch",
   ]
 
   args = [
diff --git a/Fix-CVE-2025-49795-null-pointer-dereference-leading-to-DoS.patch b/Fix-CVE-2025-49795-null-pointer-dereference-leading-to-DoS.patch
new file mode 100644
index 0000000..3c0865d
--- /dev/null
+++ b/Fix-CVE-2025-49795-null-pointer-dereference-leading-to-DoS.patch
@@ -0,0 +1,108 @@
+From c24909ba2601848825b49a60f988222da3019667 Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Sat, 21 Jun 2025 12:11:30 -0400
+Subject: [PATCH] Schematron: Fix null pointer dereference leading to DoS
+
+(CVE-2025-49795)
+
+Fixes #932
+---
+ result/schematron/zvon16_0.err |  3 +++
+ runtest.c                      | 11 ++++++++---
+ schematron.c                   |  5 +++++
+ test/schematron/zvon16.sct     |  7 +++++++
+ test/schematron/zvon16_0.xml   |  5 +++++
+ 5 files changed, 28 insertions(+), 3 deletions(-)
+ create mode 100644 result/schematron/zvon16_0.err
+ create mode 100644 test/schematron/zvon16.sct
+ create mode 100644 test/schematron/zvon16_0.xml
+
+diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
+new file mode 100644
+index 000000000..3d0524095
+--- /dev/null
++++ b/result/schematron/zvon16_0.err
+@@ -0,0 +1,3 @@
++XPath error : Unregistered function
++./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book 
++./test/schematron/zvon16_0.xml fails to validate
+diff --git a/runtest.c b/runtest.c
+index 84518ae91..721a1b331 100644
+--- a/runtest.c
++++ b/runtest.c
+@@ -3999,6 +3999,9 @@ schematronTest(const char *filename,
+     size_t i;
+     char count = 0;
+ 
++    /* Redirect XPath errors */
++    xmlSetStructuredErrorFunc(NULL, testStructuredErrorHandler);
++
+     pctxt = xmlSchematronNewParserCtxt(filename);
+     schematron = xmlSchematronParse(pctxt);
+     xmlSchematronFreeParserCtxt(pctxt);
+@@ -4012,8 +4015,8 @@ schematronTest(const char *filename,
+      */
+     len = strlen(base);
+     if ((len > 499) || (len < 5)) {
+-        xmlSchematronFree(schematron);
+-	return(-1);
++        ret = -1;
++        goto done;
+     }
+     len -= 4; /* remove trailing .sct */
+     memcpy(prefix, base, len);
+@@ -4053,8 +4056,10 @@ schematronTest(const char *filename,
+         }
+     }
+     globfree(&globbuf);
+-    xmlSchematronFree(schematron);
+ 
++done:
++    xmlSchematronFree(schematron);
++    xmlSetStructuredErrorFunc(NULL, NULL);
+     return(ret);
+ }
+ #endif /* LIBXML_SCHEMATRON_ENABLED */
+diff --git a/schematron.c b/schematron.c
+index 21e9956bb..33e924a0a 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1505,6 +1505,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             select = xmlGetNoNsProp(child, BAD_CAST "select");
+             comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
+             eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
++            if (eval == NULL) {
++                xmlXPathFreeCompExpr(comp);
++                xmlFree(select);
++                return ret;
++            }
+ 
+             switch (eval->type) {
+             case XPATH_NODESET: {
+diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
+new file mode 100644
+index 000000000..f03848aae
+--- /dev/null
++++ b/test/schematron/zvon16.sct
+@@ -0,0 +1,7 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++	<sch:pattern id="TestPattern">
++		<sch:rule context="book">
++			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
++		</sch:rule>
++	</sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
+new file mode 100644
+index 000000000..551e2d654
+--- /dev/null
++++ b/test/schematron/zvon16_0.xml
+@@ -0,0 +1,5 @@
++<library>
++	<book title="Test Book" id="bk101">
++		<author>Test Author</author>
++	</book>
++</library>
+-- 
+GitLab
+
diff --git a/install.py b/install.py
index 023812d..fef1e87 100755
--- a/install.py
+++ b/install.py
@@ -54,7 +54,8 @@ def do_patch(args, target_dir):
         "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch",
         "Fix-relaxng-is-parsed-to-an-infinite-attrs-next-loop.patch",
         "Backport-CVE-2025-6170-Fix-potential-buffer-overflow-of-interactive-shell.patch",
-        "Fix-CVE-2025-49794-CVE-2025-49796-memory-safety-issues-in-xmlSchematronReportOutput.patch"
+        "Fix-CVE-2025-49794-CVE-2025-49796-memory-safety-issues-in-xmlSchematronReportOutput.patch",
+        "Fix-CVE-2025-49795-null-pointer-dereference-leading-to-DoS.patch"
     ]
 
     for patch in patch_file:
-- 
Gitee