[xml] Crash in xmlschemas.c when validating XML containing mixed CDATA section

[Judy Hay <judyhay yahoo com>]

Hi,

 

I'm running into a problem with the XML schema validation code when applied to CDATA sections that happen to have some trailing whitespace.  It seems to be isolated to cases where a namespace is being used.

 

The following XML and XSD snippets will cause the crash in the latest (2.6.22) version of xmllint I have:

 

XML:

<?xml version="1.0" encoding="utf-8"?>

<ex:List xmlns:ex="http://www.foo.com">

    <ex:Item>

        <![CDATA[A single item]]>

    </ex:Item>
</ex:List>

XSD:

<?xml version="1.0" encoding="utf-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.foo.com" xmlns:ex="http://www.foo.com" elementFormDefault="qualified" attributeFormDefault="qualified">

    <xs:element name="List" type="ex:ListT"/>

 

    <xs:complexType name="ListT">
        <xs:sequence>
            <xs:element name="Item" type="xs:string" minOccurs="0" maxOccurs="1"/>
        </xs:sequence>
    </xs:complexType>

</xs:schema>

 

If you remove the whitespace from around the CDATA section, you do not get a crash and the XML validates just fine.

 

The crash is happening in xmlschemas.c at line 23877 (in xmlSchemaVPushText).  xmlStrncat is called with a "len" variable that was passed in from the calling function as -1 (other parts of xmlSchemaVPushText consider this).  Eventually that -1 gets passed into a memcpy call by xmlStrncat and causes a seg fault.

 

I don't think this line is ever called if namespaces aren't being used -- at least, I couldn't reproduce this error in that case.

 

Anyway, I was wondering if this is a known bug and if there are any plans to fix it in the near future.  Or if I'm just using really bad XML/XSD and if so, please let me know (well, I don't have any control over the XML I'm getting, but it would be good to know if there's something wrong with it, too).

 

Thanks very much,

Judy