Null-deref in xmlSchemaGetComponentTargetNs
When we used the attached XML file for testing, the following call stack error occurred.
==757064==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006f5377 bp 0x7ffc4d16a280 sp 0x7ffc4d16a270 T0)
==757064==The signal is caused by a READ memory access.
==757064==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x6f5377 in xmlSchemaGetComponentTargetNs /src/libxml2/xmlschemas.c:1387:19
#1 0x6f4fff in xmlSchemaGetComponentQName /src/libxml2/xmlschemas.c:1430:2
#2 0x7370bd in xmlSchemaCheckElemPropsCorrect /src/libxml2/xmlschemas.c:19756:7
#3 0x722687 in xmlSchemaCheckElementDeclComponent /src/libxml2/xmlschemas.c:20080:9
#4 0x6e8ef0 in xmlSchemaFixupComponents /src/libxml2/xmlschemas.c:21286:7
#5 0x6e564d in xmlSchemaParse /src/libxml2/xmlschemas.c:21445:9
#6 0x5559e6 in LLVMFuzzerTestOneInput /src/libxml2/fuzz/schema.c:36:19
#7 0x45bb53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#8 0x4472c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#9 0x44cf66 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#10 0x476472 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f27e1188b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#12 0x423179 in _start (/root/oss-fuzz/build/out/libxml2/schema+0x423179)
DEDUP_TOKEN: xmlSchemaGetComponentTargetNs--xmlSchemaGetComponentQName--xmlSchemaCheckElemPropsCorrect
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/libxml2/xmlschemas.c:1387:19 in xmlSchemaGetComponentTargetNs
==757064==ABORTING
Edited by huangduirong