From fef4085cd718a1a4df050d6ce195bab0cd3327a6 Mon Sep 17 00:00:00 2001
From: fangyunzhong <fangyunzhong2@huawei.com>
Date: Fri, 5 May 2023 03:46:13 +0000
Subject: [PATCH] =?UTF-8?q?fixed=207fa9350=20from=20https://gitee.com/fang?=
 =?UTF-8?q?-yunzhong/third=5Fparty=5Flibxml2/pulls/43=20=E5=AE=89=E5=85=A8?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E4=BF=AE=E5=A4=8DCVE-2023-29469,CVE-2023-284?=
 =?UTF-8?q?84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: fangyunzhong <fangyunzhong2@huawei.com>
---
 dict.c                                |  3 ++-
 result/schemas/issue491_0_0.err       |  1 +
 result/schemas/oss-fuzz-51295_0_0.err |  2 ++
 test/schemas/issue491_0.xml           |  1 +
 test/schemas/issue491_0.xsd           | 18 ++++++++++++++++++
 test/schemas/oss-fuzz-51295_0.xml     |  1 +
 test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
 xmlschemas.c                          | 17 ++++++++++++++---
 8 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100644 result/schemas/issue491_0_0.err
 create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
 create mode 100644 test/schemas/issue491_0.xml
 create mode 100644 test/schemas/issue491_0.xsd
 create mode 100644 test/schemas/oss-fuzz-51295_0.xml
 create mode 100644 test/schemas/oss-fuzz-51295_0.xsd

diff --git a/dict.c b/dict.c
index 90e4d81..e39e8a4 100644
--- a/dict.c
+++ b/dict.c
@@ -451,7 +451,8 @@ static unsigned long
 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
     unsigned long value = seed;
 
-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
     value += *name;
     value <<= 5;
     if (namelen > 10) {
diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
new file mode 100644
index 0000000..9b2bb96
--- /dev/null
+++ b/result/schemas/issue491_0_0.err
@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
new file mode 100644
index 0000000..1e89524
--- /dev/null
+++ b/result/schemas/oss-fuzz-51295_0_0.err
@@ -0,0 +1,2 @@
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
new file mode 100644
index 0000000..e2b2fc2
--- /dev/null
+++ b/test/schemas/issue491_0.xml
@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>
diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
new file mode 100644
index 0000000..8170264
--- /dev/null
+++ b/test/schemas/issue491_0.xsd
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+  <xs:complexType name="BaseType">
+    <xs:simpleContent>
+      <xs:extension base="xs:int" />
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:complexType name="ChildType">
+    <xs:complexContent>
+      <xs:extension base="BaseType">
+        <xs:sequence>
+          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <xs:element name="Child" type="ChildType" />
+</xs:schema>
diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
new file mode 100644
index 0000000..10a7e70
--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xml
@@ -0,0 +1 @@
+<e/>
diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
new file mode 100644
index 0000000..fde96af
--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xsd
@@ -0,0 +1,4 @@
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+    <xs:element name="e" substitutionGroup="e"/>
+    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
+</xs:schema>
diff --git a/xmlschemas.c b/xmlschemas.c
index 1efd096..0b46f9e 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -13339,8 +13339,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
 	    * declaration `resolved` to by the `actual value`
 	    * of the substitutionGroup [attribute], if present"
 	    */
-	    if (elemDecl->subtypes == NULL)
-		elemDecl->subtypes = substHead->subtypes;
+	    if (elemDecl->subtypes == NULL) {
+                if (substHead->subtypes == NULL) {
+                    /*
+                     * This can happen with self-referencing substitution
+                     * groups. The cycle will be detected later, but we have
+                     * to set subtypes to avoid null-pointer dereferences.
+                     */
+	            elemDecl->subtypes = xmlSchemaGetBuiltInType(
+                            XML_SCHEMAS_ANYTYPE);
+                } else {
+		    elemDecl->subtypes = substHead->subtypes;
+                }
+            }
 	}
     }
     /*
@@ -18602,7 +18613,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
 			"allowed to appear inside other model groups",
 			NULL, NULL);
 
-		} else if (! dummySequence) {
+		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
 		    xmlSchemaTreeItemPtr effectiveContent =
 			(xmlSchemaTreeItemPtr) type->subtypes;
 		    /*
-- 
Gitee