Fix a segfault on XSD validation on pattern error
As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):
<xs:pattern value="(.*)|"/>
Fix a cascade of error handling failures which led to the
crash in that scenario.
diff --git a/xmlregexp.c b/xmlregexp.c
index 8a8be98..b952708 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -3202,7 +3202,7 @@
memset(exec->counts, 0, comp->nbCounters * sizeof(int));
} else
exec->counts = NULL;
- while ((exec->status == 0) &&
+ while ((exec->status == 0) && (exec->state != NULL) &&
((exec->inputString[exec->index] != 0) ||
((exec->state != NULL) &&
(exec->state->type != XML_REGEXP_FINAL_STATE)))) {
@@ -3456,6 +3456,8 @@
}
xmlFree(exec->rollbacks);
}
+ if (exec->state == NULL)
+ return(-1);
if (exec->counts != NULL)
xmlFree(exec->counts);
if (exec->status == 0)
@@ -5373,6 +5375,10 @@
end = ctxt->state;
while ((CUR == '|') && (ctxt->error == 0)) {
NEXT;
+ if (CUR == 0) {
+ ERROR("expecting a branch after |")
+ return;
+ }
ctxt->state = start;
ctxt->end = NULL;
xmlFAParseBranch(ctxt, end);