diff --git a/dict.c b/dict.c
index 90e4d81403cf190b3e9ab19a869bf9068cd9cf0d..e39e8a4f7a99ec5da377fed6dcb41d1af0331915 100644
--- a/dict.c
+++ b/dict.c
@@ -451,7 +451,8 @@ static unsigned long
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
unsigned long value = seed;
- if (name == NULL) return(0);
+ if ((name == NULL) || (namelen <= 0))
+ return(value);
value += *name;
value <<= 5;
if (namelen > 10) {
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
new file mode 100644
index 0000000000000000000000000000000000000000..9b2bb9691f5544b952d7d1013bcdf888d155b47b
--- /dev/null
+++ b/result/schemas/issue491_0_0.err
@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
new file mode 100644
index 0000000000000000000000000000000000000000..1e89524f63ea325deb7da3eae1d0d1bc20b54a6a
--- /dev/null
+++ b/result/schemas/oss-fuzz-51295_0_0.err
@@ -0,0 +1,2 @@
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
new file mode 100644
index 0000000000000000000000000000000000000000..e2b2fc2e359b31b6f158600cf06c979134c0e248
--- /dev/null
+++ b/test/schemas/issue491_0.xml
@@ -0,0 +1 @@
+5
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..8170264987b77fcf915ae2ca438dc065aaaf74b2
--- /dev/null
+++ b/test/schemas/issue491_0.xsd
@@ -0,0 +1,18 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
new file mode 100644
index 0000000000000000000000000000000000000000..10a7e703b2b16a229a9e10d4e256e8332d422b4d
--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xml
@@ -0,0 +1 @@
+
diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..fde96af5c60b741386e536c88911a7cb932c673f
--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xsd
@@ -0,0 +1,4 @@
+
+
+
+
diff --git a/xmlschemas.c b/xmlschemas.c
index 1efd09624965cef42ddefd1663867dd2c2bdc360..0b46f9ebda08a2ad8c768dad56b6b91a7b2bd1c2 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -13339,8 +13339,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
* declaration `resolved` to by the `actual value`
* of the substitutionGroup [attribute], if present"
*/
- if (elemDecl->subtypes == NULL)
- elemDecl->subtypes = substHead->subtypes;
+ if (elemDecl->subtypes == NULL) {
+ if (substHead->subtypes == NULL) {
+ /*
+ * This can happen with self-referencing substitution
+ * groups. The cycle will be detected later, but we have
+ * to set subtypes to avoid null-pointer dereferences.
+ */
+ elemDecl->subtypes = xmlSchemaGetBuiltInType(
+ XML_SCHEMAS_ANYTYPE);
+ } else {
+ elemDecl->subtypes = substHead->subtypes;
+ }
+ }
}
}
/*
@@ -18602,7 +18613,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
"allowed to appear inside other model groups",
NULL, NULL);
- } else if (! dummySequence) {
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
xmlSchemaTreeItemPtr effectiveContent =
(xmlSchemaTreeItemPtr) type->subtypes;
/*