From 9f8484602f53ac23c5af031c96c36829191e6b92 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 9 Mar 2025 13:31:10 +0100
Subject: [PATCH] malloc-fail: Fix type confusion in
 xmlSchemaCheckAGPropsCorrect

Attribute groups must be marked as containing references also if an OOM
error occurred. Otherwise, references won't be resolved, leading to type
confusion in xmlSchemaCheckAGPropsCorrect later in the fixup phase.

I'm not sure why xmlSchemaFixupComponents is called at all if an error
occurred. This has lead to similar issues in the past. On the other
hand, continuing in the presence of errors helps when fuzzing.

See #344.
---
 xmlschemas.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/xmlschemas.c b/xmlschemas.c
index b3214f50..796e0edf 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -7715,6 +7715,7 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt,
     xmlNodePtr child = NULL;
     xmlAttrPtr attr;
     int hasRefs = 0;
+    int res;
 
     if ((pctxt == NULL) || (schema == NULL) || (node == NULL))
         return (NULL);
@@ -7769,12 +7770,13 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt,
     /*
     * Parse contained attribute decls/refs.
     */
-    if (xmlSchemaParseLocalAttributes(pctxt, schema, &child,
+    res = xmlSchemaParseLocalAttributes(pctxt, schema, &child,
 	(xmlSchemaItemListPtr *) &(ret->attrUses),
-	XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs) == -1)
-	return(NULL);
+	XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs);
     if (hasRefs)
 	ret->flags |= XML_SCHEMAS_ATTRGROUP_HAS_REFS;
+    if (res == -1)
+	return(NULL);
     /*
     * Parse the attribute wildcard.
     */