[CVE-2023-28484] Segfault When Parsing XSD

(Note that this issue was also submitted via https://security.gnome.org and was assigned issue numbers 160 and 490. However, there have been issues with the example XSD and XML submitted, so I was asked to create this issue by Nick Wellnhofer)

I have found an issue in libxml2 (as well as xmllint), verified in the latest version 2.10.3. The issue causes a segmentation fault and I believe the issue is dereferencing a null pointer. This could be used for the typical exploits resulting from a local null pointer dereference. As the segfault is caused during XML schema parsing, it could potentially be triggered remotely if an application is using libxml2 in combination with schema negotiation or there is some remote ability to select the schema used for parsing. Thus, I thought it may be considered a security issue and have opted to submit it confidentially.

To easily reproduce, execute xmllint --schema ./test.xsd ./test.xml --noout using the schema and XML I will attach to this issue.

To reproduce without xmllint, I will also attach sample C code that can be compiled with libxml2.

Essentially, the problem occurs when parsing an XML schema that contains a complexType with an element that extends another complexType containing simpleContent.

From my investigation (using a debugger), this is the specific line causing the segfault

I'm happy to provide a patch or pull request, but thought it important to report via this form and not create a public pull request in case there are security concerns.

Please let me know if I can be of any assistance - I've used libxml2 as well as xmllint for many years and am happy to help / "give back!"