[xml] Crash in xmlschemas.c when validating XML containing mixed CDATA section

I'm running into a problem with the XML schema validation code when applied to CDATA sections that happen to have some trailing whitespace.  It seems to be isolated to cases where a namespace is being used.
The following XML and XSD snippets will cause the crash in the latest (2.6.22) version of xmllint I have:
<?xml version="1.0" encoding="utf-8"?>
<ex:List xmlns:ex="http://www.foo.com">
        <![CDATA[A single item]]>
<?xml version="1.0" encoding="utf-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.foo.com" xmlns:ex="http://www.foo.com" elementFormDefault="qualified" attributeFormDefault="qualified">
    <xs:element name="List" type="ex:ListT"/>
    <xs:complexType name="ListT">
            <xs:element name="Item" type="xs:string" minOccurs="0" maxOccurs="1"/>
If you remove the whitespace from around the CDATA section, you do not get a crash and the XML validates just fine.
The crash is happening in xmlschemas.c at line 23877 (in xmlSchemaVPushText).  xmlStrncat is called with a "len" variable that was passed in from the calling function as -1 (other parts of xmlSchemaVPushText consider this).  Eventually that -1 gets passed into a memcpy call by xmlStrncat and causes a seg fault.
I don't think this line is ever called if namespaces aren't being used -- at least, I couldn't reproduce this error in that case.
Anyway, I was wondering if this is a known bug and if there are any plans to fix it in the near future.  Or if I'm just using really bad XML/XSD and if so, please let me know (well, I don't have any control over the XML I'm getting, but it would be good to know if there's something wrong with it, too).
Thanks very much,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]