[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType

Fix a null pointer dereference when parsing (invalid) XML schemas.

Thanks to Robby Simpson for the report!

Fixes #491.

result/schemas/issue491_0_0.err

@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.

test/schemas/issue491_0.xml

@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>

test/schemas/issue491_0.xsd

@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+  <xs:complexType name="BaseType">
+    <xs:simpleContent>
+      <xs:extension base="xs:int" />
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:complexType name="ChildType">
+    <xs:complexContent>
+      <xs:extension base="BaseType">
+        <xs:sequence>
+          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <xs:element name="Child" type="ChildType" />
+</xs:schema>

xmlschemas.c

@@ -18619,7 +18619,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
 			"allowed to appear inside other model groups",
 			NULL, NULL);
 
-		} else if (! dummySequence) {
+		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
 		    xmlSchemaTreeItemPtr effectiveContent =
 			(xmlSchemaTreeItemPtr) type->subtypes;
 		    /*