From 62048278a4c5fdf14d287dfb400005c0a0caa69f Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Sat, 21 Jun 2025 12:11:30 -0400
Subject: [PATCH] [CVE-2025-49795] schematron: Fix null pointer dereference
 leading to DoS

Fixes #932
---
 result/schematron/zvon16_0.err | 3 +++
 schematron.c                   | 5 +++++
 test/schematron/zvon16.sct     | 7 +++++++
 test/schematron/zvon16_0.xml   | 5 +++++
 4 files changed, 20 insertions(+)
 create mode 100644 result/schematron/zvon16_0.err
 create mode 100644 test/schematron/zvon16.sct
 create mode 100644 test/schematron/zvon16_0.xml

diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
new file mode 100644
index 0000000000..3d0524095e
--- /dev/null
+++ b/result/schematron/zvon16_0.err
@@ -0,0 +1,3 @@
+XPath error : Unregistered function
+./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book 
+./test/schematron/zvon16_0.xml fails to validate
diff --git a/schematron.c b/schematron.c
index 1de25deb97..da603402eb 100644
--- a/schematron.c
+++ b/schematron.c
@@ -1506,6 +1506,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
             select = xmlGetNoNsProp(child, BAD_CAST "select");
             comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
             eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
+            if (eval == NULL) {
+                xmlXPathFreeCompExpr(comp);
+                xmlFree(select);
+                return ret;
+            }
 
             switch (eval->type) {
             case XPATH_NODESET: {
diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
new file mode 100644
index 0000000000..f03848aae6
--- /dev/null
+++ b/test/schematron/zvon16.sct
@@ -0,0 +1,7 @@
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
+	<sch:pattern id="TestPattern">
+		<sch:rule context="book">
+			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
+		</sch:rule>
+	</sch:pattern>
+</sch:schema>
diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
new file mode 100644
index 0000000000..551e2d6543
--- /dev/null
+++ b/test/schematron/zvon16_0.xml
@@ -0,0 +1,5 @@
+<library>
+	<book title="Test Book" id="bk101">
+		<author>Test Author</author>
+	</book>
+</library>