From 529f65b0782efbe1137b2504aa1f06504a97dd0a Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Sat, 21 Jun 2025 12:51:24 -0400
Subject: [PATCH] Schematron: Fix use after free

(CVE-2025-49794)

Fixes #931
---
 schematron.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Index: libxml2-2.11.6/schematron.c
===================================================================
--- libxml2-2.11.6.orig/schematron.c
+++ libxml2-2.11.6/schematron.c
@@ -1404,8 +1404,11 @@ xmlSchematronGetNode(xmlSchematronValidC
         return(NULL);
 
     if ((ret->type == XPATH_NODESET) &&
-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) {
         node = ret->nodesetval->nodeTab[0];
+        /* Clear the nodeTab so the node data isn't freed below */
+        ret->nodesetval->nodeTab[0] = NULL;
+    }
 
     xmlXPathFreeObject(ret);
     return(node);
@@ -1473,6 +1476,10 @@ xmlSchematronFormatReport(xmlSchematronV
                 ret = xmlStrcat(ret, BAD_CAST ":");
                 ret = xmlStrcat(ret, node->name);
             }
+
+            if ((path != NULL) && (node != cur))
+                xmlXPathNodeSetFreeNs((xmlNsPtr)node);
+
         } else if (IS_SCHEMATRON(child, "value-of")) {
             xmlChar *select;
             xmlXPathObjectPtr eval;