[xml] Crash in xmlschemas.c when validating XML containing mixed CDATA section



Hi,
 
I'm running into a problem with the XML schema validation code when applied to CDATA sections that happen to have some trailing whitespace.  It seems to be isolated to cases where a namespace is being used.
 
The following XML and XSD snippets will cause the crash in the latest (2.6.22) version of xmllint I have:
 
XML:
<?xml version="1.0" encoding="utf-8"?>
<ex:List xmlns:ex="http://www.foo.com">
    <ex:Item>
        <![CDATA[A single item]]>
    </ex:Item>
</ex:List>
XSD:
<?xml version="1.0" encoding="utf-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.foo.com" xmlns:ex="http://www.foo.com" elementFormDefault="qualified" attributeFormDefault="qualified">
    <xs:element name="List" type="ex:ListT"/>
 
    <xs:complexType name="ListT">
        <xs:sequence>
            <xs:element name="Item" type="xs:string" minOccurs="0" maxOccurs="1"/>
        </xs:sequence>
    </xs:complexType>
</xs:schema>
 
If you remove the whitespace from around the CDATA section, you do not get a crash and the XML validates just fine.
 
The crash is happening in xmlschemas.c at line 23877 (in xmlSchemaVPushText).  xmlStrncat is called with a "len" variable that was passed in from the calling function as -1 (other parts of xmlSchemaVPushText consider this).  Eventually that -1 gets passed into a memcpy call by xmlStrncat and causes a seg fault.
 
I don't think this line is ever called if namespaces aren't being used -- at least, I couldn't reproduce this error in that case.
 
Anyway, I was wondering if this is a known bug and if there are any plans to fix it in the near future.  Or if I'm just using really bad XML/XSD and if so, please let me know (well, I don't have any control over the XML I'm getting, but it would be good to know if there's something wrong with it, too).
 
Thanks very much,
Judy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]