From 19e0a3ed092085a4d6689397d4f08cf5d86267af Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Sat, 21 Jun 2025 12:11:30 -0400
Subject: [PATCH] Schematron: Fix null pointer dereference leading to DoS

(CVE-2025-49795)

Fixes #932

Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c24909ba2601848825b49a60f988222da3019667]
CVE: CVE-2025-49795

(cherry picked from commit c24909ba2601848825b49a60f988222da3019667)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
 result/schematron/zvon16_0     | 6 ++++++
 result/schematron/zvon16_0.err | 5 +++++
 schematron.c                   | 5 +++++
 test/schematron/zvon16.sct     | 7 +++++++
 test/schematron/zvon16_0.xml   | 5 +++++
 5 files changed, 28 insertions(+)
 create mode 100644 result/schematron/zvon16_0
 create mode 100644 result/schematron/zvon16_0.err
 create mode 100644 test/schematron/zvon16.sct
 create mode 100644 test/schematron/zvon16_0.xml

diff --git a/result/schematron/zvon16_0 b/result/schematron/zvon16_0
new file mode 100644
index 00000000..768cf6f5
--- /dev/null
+++ b/result/schematron/zvon16_0
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<library>
+	<book title="Test Book" id="bk101">
+		<author>Test Author</author>
+	</book>
+</library>
diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
new file mode 100644
index 00000000..a4fab4c8
--- /dev/null
+++ b/result/schematron/zvon16_0.err
@@ -0,0 +1,5 @@
+Pattern: TestPattern
+xmlXPathCompOpEval: function falae not found
+XPath error : Unregistered function
+/library/book line 2: Book 
+./test/schematron/zvon16_0.xml fails to validate
diff --git a/schematron.c b/schematron.c
index a8259201..86c63e64 100644
--- a/schematron.c
+++ b/schematron.c
@@ -1481,6 +1481,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
             select = xmlGetNoNsProp(child, BAD_CAST "select");
             comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
             eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
+            if (eval == NULL) {
+                xmlXPathFreeCompExpr(comp);
+                xmlFree(select);
+                return ret;
+            }
 
             switch (eval->type) {
             case XPATH_NODESET: {
diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
new file mode 100644
index 00000000..f03848aa
--- /dev/null
+++ b/test/schematron/zvon16.sct
@@ -0,0 +1,7 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+	<sch:pattern id="TestPattern">
+		<sch:rule context="book">
+			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
+		</sch:rule>
+	</sch:pattern>
+</sch:schema>
diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
new file mode 100644
index 00000000..551e2d65
--- /dev/null
+++ b/test/schematron/zvon16_0.xml
@@ -0,0 +1,5 @@
+<library>
+	<book title="Test Book" id="bk101">
+		<author>Test Author</author>
+	</book>
+</library>
-- 
2.34.1