File libxml2-CVE-2025-7425.patch of Package libxml2.42407
From b7d2ad6e1b376c10edffcb0973485c861dc89559 Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Mon, 23 Jun 2025 14:41:56 -0700
Subject: [PATCH] libxslt: heap-use-after-free in xmlFreeID caused by `atype`
corruption
* include/libxml/tree.h:
(XML_ATTR_CLEAR_ATYPE): Add.
(XML_ATTR_GET_ATYPE): Add.
(XML_ATTR_SET_ATYPE): Add.
(XML_NODE_ADD_EXTRA): Add.
(XML_NODE_CLEAR_EXTRA): Add.
(XML_NODE_GET_EXTRA): Add.
(XML_NODE_SET_EXTRA): Add.
(XML_DOC_ADD_PROPERTIES): Add.
(XML_DOC_CLEAR_PROPERTIES): Add.
(XML_DOC_GET_PROPERTIES): Add.
(XML_DOC_SET_PROPERTIES): Add.
- Add macros for accessing fields with upper bits that may be set by
libxslt.
* HTMLparser.c:
(htmlNewDocNoDtD):
* SAX2.c:
(xmlSAX2StartDocument):
(xmlSAX2EndDocument):
* parser.c:
(xmlParseEntityDecl):
(xmlParseExternalSubset):
(xmlParseReference):
(xmlCtxtParseDtd):
* runxmlconf.c:
(xmlconfTestInvalid):
(xmlconfTestValid):
* tree.c:
(xmlNewDoc):
(xmlFreeProp):
(xmlNodeSetDoc):
(xmlSetNsProp):
(xmlDOMWrapAdoptBranch):
* valid.c:
(xmlFreeID):
(xmlAddIDInternal):
(xmlValidateAttributeValueInternal):
(xmlValidateOneAttribute):
(xmlValidateRef):
* xmlreader.c:
(xmlTextReaderStartElement):
(xmlTextReaderStartElementNs):
(xmlTextReaderValidateEntity):
(xmlTextReaderRead):
(xmlTextReaderNext):
(xmlTextReaderIsEmptyElement):
(xmlTextReaderPreserve):
* xmlschemas.c:
(xmlSchemaPValAttrNodeID):
* xmlschemastypes.c:
(xmlSchemaValAtomicType):
- Adopt macros by renaming the struct fields, recompiling and fixing
compiler failures, then changing the struct field names back.
---
HTMLparser.c | 2 +-
SAX2.c | 14 +++++++-------
include/libxml/tree.h | 14 +++++++++++++-
parser.c | 10 +++++-----
runxmlconf.c | 4 ++--
tree.c | 14 +++++++-------
valid.c | 14 +++++++-------
xmlreader.c | 30 +++++++++++++++---------------
xmlschemas.c | 2 +-
xmlschemastypes.c | 10 +++++-----
10 files changed, 63 insertions(+), 51 deletions(-)
Index: libxml2-2.9.4/HTMLparser.c
===================================================================
--- libxml2-2.9.4.orig/HTMLparser.c
+++ libxml2-2.9.4/HTMLparser.c
@@ -2335,7 +2335,7 @@ htmlNewDocNoDtD(const xmlChar *URI, cons
cur->refs = NULL;
cur->_private = NULL;
cur->charset = XML_CHAR_ENCODING_UTF8;
- cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
+ XML_DOC_SET_PROPERTIES(cur, XML_DOC_HTML | XML_DOC_USERBUILT);
if ((ExternalID != NULL) ||
(URI != NULL))
xmlCreateIntSubset(cur, BAD_CAST "html", ExternalID, URI);
Index: libxml2-2.9.4/SAX2.c
===================================================================
--- libxml2-2.9.4.orig/SAX2.c
+++ libxml2-2.9.4/SAX2.c
@@ -998,7 +998,7 @@ xmlSAX2StartDocument(void *ctx)
xmlSAX2ErrMemory(ctxt, "xmlSAX2StartDocument");
return;
}
- ctxt->myDoc->properties = XML_DOC_HTML;
+ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_HTML);
ctxt->myDoc->parseFlags = ctxt->options;
#else
xmlGenericError(xmlGenericErrorContext,
@@ -1011,9 +1011,9 @@ xmlSAX2StartDocument(void *ctx)
} else {
doc = ctxt->myDoc = xmlNewDoc(ctxt->version);
if (doc != NULL) {
- doc->properties = 0;
+ XML_DOC_CLEAR_PROPERTIES(doc);
if (ctxt->options & XML_PARSE_OLD10)
- doc->properties |= XML_DOC_OLD10;
+ XML_DOC_ADD_PROPERTIES(doc, XML_DOC_OLD10);
doc->parseFlags = ctxt->options;
if (ctxt->encoding != NULL)
doc->encoding = xmlStrdup(ctxt->encoding);
Index: libxml2-2.9.4/include/libxml/tree.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/tree.h
+++ libxml2-2.9.4/include/libxml/tree.h
@@ -365,7 +365,6 @@ struct _xmlElement {
#endif
};
-
/**
* XML_LOCAL_NAMESPACE:
*
@@ -452,6 +451,10 @@ struct _xmlAttr {
* An XML ID instance.
*/
+#define XML_ATTR_CLEAR_ATYPE(attr) (((attr)->atype) = 0)
+#define XML_ATTR_GET_ATYPE(attr) (((attr)->atype) & ~(15U << 27))
+#define XML_ATTR_SET_ATYPE(attr, type) ((attr)->atype = ((((attr)->atype) & (15U << 27)) | ((type) & ~(15U << 27))))
+
typedef struct _xmlID xmlID;
typedef xmlID *xmlIDPtr;
struct _xmlID {
@@ -541,6 +544,11 @@ typedef enum {
XML_DOC_HTML = 1<<7 /* parsed or built HTML document */
} xmlDocProperties;
+#define XML_NODE_ADD_EXTRA(node, type) ((node)->extra |= ((type) & ~(15U << 12)))
+#define XML_NODE_CLEAR_EXTRA(node) (((node)->extra) = 0)
+#define XML_NODE_GET_EXTRA(node) (((node)->extra) & ~(15U << 12))
+#define XML_NODE_SET_EXTRA(node, type) ((node)->extra = ((((node)->extra) & (15U << 12)) | ((type) & ~(15U << 12))))
+
/**
* xmlDoc:
*
@@ -585,6 +593,10 @@ struct _xmlDoc {
set at the end of parsing */
};
+#define XML_DOC_ADD_PROPERTIES(doc, type) ((doc)->properties |= ((type) & ~(15U << 27)))
+#define XML_DOC_CLEAR_PROPERTIES(doc) (((doc)->properties) = 0)
+#define XML_DOC_GET_PROPERTIES(doc) (((doc)->properties) & ~(15U << 27))
+#define XML_DOC_SET_PROPERTIES(doc, type) ((doc)->properties = ((((doc)->properties) & (15U << 27)) | ((type) & ~(15U << 27))))
typedef struct _xmlDOMWrapCtxt xmlDOMWrapCtxt;
typedef xmlDOMWrapCtxt *xmlDOMWrapCtxtPtr;
Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -5669,7 +5669,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
xmlErrMemory(ctxt, "New Doc failed");
return;
}
- ctxt->myDoc->properties = XML_DOC_INTERNAL;
+ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
}
if (ctxt->myDoc->intSubset == NULL)
ctxt->myDoc->intSubset = xmlNewDtd(ctxt->myDoc,
@@ -5742,7 +5742,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
xmlErrMemory(ctxt, "New Doc failed");
return;
}
- ctxt->myDoc->properties = XML_DOC_INTERNAL;
+ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
}
if (ctxt->myDoc->intSubset == NULL)
@@ -7230,7 +7230,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr
xmlErrMemory(ctxt, "New Doc failed");
return;
}
- ctxt->myDoc->properties = XML_DOC_INTERNAL;
+ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
}
if ((ctxt->myDoc != NULL) && (ctxt->myDoc->intSubset == NULL))
xmlCreateIntSubset(ctxt->myDoc, NULL, ExternalID, SystemID);
@@ -12981,7 +12981,7 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlP
xmlErrMemory(ctxt, "New Doc failed");
return(NULL);
}
- ctxt->myDoc->properties = XML_DOC_INTERNAL;
+ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
ctxt->myDoc->extSubset = xmlNewDtd(ctxt->myDoc, BAD_CAST "none",
BAD_CAST "none", BAD_CAST "none");
Index: libxml2-2.9.4/runxmlconf.c
===================================================================
--- libxml2-2.9.4.orig/runxmlconf.c
+++ libxml2-2.9.4/runxmlconf.c
@@ -197,7 +197,7 @@ xmlconfTestInvalid(const char *id, const
id, filename);
} else {
/* invalidity should be reported both in the context and in the document */
- if ((ctxt->valid != 0) || (doc->properties & XML_DOC_DTDVALID)) {
+ if ((ctxt->valid != 0) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_DTDVALID)) {
test_log("test %s : %s failed to detect invalid document\n",
id, filename);
nb_errors++;
@@ -229,7 +229,7 @@ xmlconfTestValid(const char *id, const c
ret = 0;
} else {
/* validity should be reported both in the context and in the document */
- if ((ctxt->valid == 0) || ((doc->properties & XML_DOC_DTDVALID) == 0)) {
+ if ((ctxt->valid == 0) || ((XML_DOC_GET_PROPERTIES(doc) & XML_DOC_DTDVALID) == 0)) {
test_log("test %s : %s failed to validate a valid document\n",
id, filename);
nb_errors++;
Index: libxml2-2.9.4/tree.c
===================================================================
--- libxml2-2.9.4.orig/tree.c
+++ libxml2-2.9.4/tree.c
@@ -1183,7 +1183,7 @@ xmlNewDoc(const xmlChar *version) {
cur->compression = -1; /* not initialized */
cur->doc = cur;
cur->parseFlags = 0;
- cur->properties = XML_DOC_USERBUILT;
+ XML_DOC_SET_PROPERTIES(cur, XML_DOC_USERBUILT);
/*
* The in memory encoding is always UTF8
* This field will never change and would
@@ -2084,7 +2084,7 @@ xmlFreeProp(xmlAttrPtr cur) {
xmlDeregisterNodeDefaultValue((xmlNodePtr)cur);
/* Check for ID removal -> leading to invalid references ! */
- if ((cur->doc != NULL) && (cur->atype == XML_ATTRIBUTE_ID)) {
+ if ((cur->doc != NULL) && (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_ID)) {
xmlRemoveID(cur->doc, cur);
}
if (cur->children != NULL) xmlFreeNodeList(cur->children);
@@ -6880,9 +6880,9 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr n
/*
* Modify the attribute's value.
*/
- if (prop->atype == XML_ATTRIBUTE_ID) {
+ if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID) {
xmlRemoveID(node->doc, prop);
- prop->atype = XML_ATTRIBUTE_ID;
+ XML_ATTR_SET_ATYPE(prop, XML_ATTRIBUTE_ID);
}
if (prop->children != NULL)
xmlFreeNodeList(prop->children);
@@ -6908,7 +6908,7 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr n
tmp = tmp->next;
}
}
- if (prop->atype == XML_ATTRIBUTE_ID)
+ if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID)
xmlAddID(NULL, node->doc, value, prop);
return(prop);
}
@@ -9180,7 +9180,7 @@ ns_end:
if (cur->type == XML_ELEMENT_NODE) {
cur->psvi = NULL;
cur->line = 0;
- cur->extra = 0;
+ XML_NODE_CLEAR_EXTRA(cur);
/*
* Walk attributes.
*/
Index: libxml2-2.9.4/valid.c
===================================================================
--- libxml2-2.9.4.orig/valid.c
+++ libxml2-2.9.4/valid.c
@@ -3465,7 +3465,7 @@ xmlIsMixedElement(xmlDocPtr doc, const x
static int
xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
- if ((doc == NULL) || (doc->properties & XML_DOC_OLD10) == 0) {
+ if ((doc == NULL) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_OLD10) == 0) {
/*
* Use the new checks of production [4] [4a] amd [5] of the
* Update 5 of XML-1.0
@@ -3495,7 +3495,7 @@ xmlIsDocNameStartChar(xmlDocPtr doc, int
static int
xmlIsDocNameChar(xmlDocPtr doc, int c) {
- if ((doc == NULL) || (doc->properties & XML_DOC_OLD10) == 0) {
+ if ((doc == NULL) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_OLD10) == 0) {
/*
* Use the new checks of production [4] [4a] amd [5] of the
* Update 5 of XML-1.0
@@ -4432,7 +4432,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr
attr->name, elem->name, NULL);
return(0);
}
- attr->atype = attrDecl->atype;
+ XML_ATTR_SET_ATYPE(attr, attrDecl->atype);
val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
if (val == 0) {
@@ -6504,7 +6504,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCt
while (IS_BLANK_CH(*cur)) cur++;
}
xmlFree(dup);
- } else if (attr->atype == XML_ATTRIBUTE_IDREF) {
+ } else if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_IDREF) {
id = xmlGetID(ctxt->doc, name);
if (id == NULL) {
xmlErrValidNode(ctxt, attr->parent, XML_DTD_UNKNOWN_ID,
@@ -6512,7 +6512,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCt
attr->name, name, NULL);
ctxt->valid = 0;
}
- } else if (attr->atype == XML_ATTRIBUTE_IDREFS) {
+ } else if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_IDREFS) {
xmlChar *dup, *str = NULL, *cur, save;
dup = xmlStrdup(name);
Index: libxml2-2.9.4/xmlreader.c
===================================================================
--- libxml2-2.9.4.orig/xmlreader.c
+++ libxml2-2.9.4/xmlreader.c
@@ -669,7 +669,7 @@ xmlTextReaderStartElement(void *ctx, con
if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
(ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
(ctxt->input->cur[1] == '>'))
- ctxt->node->extra = NODE_IS_EMPTY;
+ XML_NODE_SET_EXTRA(ctxt->node, NODE_IS_EMPTY);
}
if (reader != NULL)
reader->state = XML_TEXTREADER_ELEMENT;
@@ -734,7 +734,7 @@ xmlTextReaderStartElementNs(void *ctx,
if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
(ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
(ctxt->input->cur[1] == '>'))
- ctxt->node->extra = NODE_IS_EMPTY;
+ XML_NODE_SET_EXTRA(ctxt->node, NODE_IS_EMPTY);
}
if (reader != NULL)
reader->state = XML_TEXTREADER_ELEMENT;
@@ -1143,7 +1143,7 @@ xmlTextReaderValidateEntity(xmlTextReade
xmlNodePtr tmp;
if (reader->entNr == 0) {
while ((tmp = node->last) != NULL) {
- if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
+ if ((XML_NODE_GET_EXTRA(tmp) & NODE_IS_PRESERVED) == 0) {
xmlUnlinkNode(tmp);
xmlTextReaderFreeNode(reader, tmp);
} else
@@ -1394,7 +1394,7 @@ get_next_node:
if ((oldstate == XML_TEXTREADER_ELEMENT) &&
(reader->node->type == XML_ELEMENT_NODE) &&
(reader->node->children == NULL) &&
- ((reader->node->extra & NODE_IS_EMPTY) == 0)
+ ((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) == 0)
#ifdef LIBXML_XINCLUDE_ENABLED
&& (reader->in_xinclude <= 0)
#endif
@@ -1408,7 +1408,7 @@ get_next_node:
xmlTextReaderValidatePop(reader);
#endif /* LIBXML_REGEXP_ENABLED */
if ((reader->preserves > 0) &&
- (reader->node->extra & NODE_IS_SPRESERVED))
+ (XML_NODE_GET_EXTRA(reader->node) & NODE_IS_SPRESERVED))
reader->preserves--;
reader->node = reader->node->next;
reader->state = XML_TEXTREADER_ELEMENT;
@@ -1424,7 +1424,7 @@ get_next_node:
(reader->node->prev != NULL) &&
(reader->node->prev->type != XML_DTD_NODE)) {
xmlNodePtr tmp = reader->node->prev;
- if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
+ if ((XML_NODE_GET_EXTRA(tmp) & NODE_IS_PRESERVED) == 0) {
xmlUnlinkNode(tmp);
xmlTextReaderFreeNode(reader, tmp);
}
@@ -1435,7 +1435,7 @@ get_next_node:
if ((oldstate == XML_TEXTREADER_ELEMENT) &&
(reader->node->type == XML_ELEMENT_NODE) &&
(reader->node->children == NULL) &&
- ((reader->node->extra & NODE_IS_EMPTY) == 0)) {;
+ ((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) == 0)) {;
reader->state = XML_TEXTREADER_END;
goto node_found;
}
@@ -1444,7 +1444,7 @@ get_next_node:
xmlTextReaderValidatePop(reader);
#endif /* LIBXML_REGEXP_ENABLED */
if ((reader->preserves > 0) &&
- (reader->node->extra & NODE_IS_SPRESERVED))
+ (XML_NODE_GET_EXTRA(reader->node) & NODE_IS_SPRESERVED))
reader->preserves--;
reader->node = reader->node->parent;
if ((reader->node == NULL) ||
@@ -1471,7 +1471,7 @@ get_next_node:
#endif
(reader->entNr == 0) &&
(oldnode->type != XML_DTD_NODE) &&
- ((oldnode->extra & NODE_IS_PRESERVED) == 0)) {
+ ((XML_NODE_GET_EXTRA(oldnode) & NODE_IS_PRESERVED) == 0)) {
xmlUnlinkNode(oldnode);
xmlTextReaderFreeNode(reader, oldnode);
}
@@ -1484,7 +1484,7 @@ get_next_node:
#endif
(reader->entNr == 0) &&
(reader->node->last != NULL) &&
- ((reader->node->last->extra & NODE_IS_PRESERVED) == 0)) {
+ ((XML_NODE_GET_EXTRA(reader->node->last) & NODE_IS_PRESERVED) == 0)) {
xmlNodePtr tmp = reader->node->last;
xmlUnlinkNode(tmp);
xmlTextReaderFreeNode(reader, tmp);
@@ -1675,7 +1675,7 @@ xmlTextReaderNext(xmlTextReaderPtr reade
return(xmlTextReaderRead(reader));
if (reader->state == XML_TEXTREADER_END || reader->state == XML_TEXTREADER_BACKTRACK)
return(xmlTextReaderRead(reader));
- if (cur->extra & NODE_IS_EMPTY)
+ if (XML_NODE_GET_EXTRA(cur) & NODE_IS_EMPTY)
return(xmlTextReaderRead(reader));
do {
ret = xmlTextReaderRead(reader);
@@ -3094,7 +3094,7 @@ xmlTextReaderIsEmptyElement(xmlTextReade
if (reader->in_xinclude > 0)
return(1);
#endif
- return((reader->node->extra & NODE_IS_EMPTY) != 0);
+ return((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) != 0);
}
/**
@@ -3958,15 +3958,15 @@ xmlTextReaderPreserve(xmlTextReaderPtr r
return(NULL);
if ((cur->type != XML_DOCUMENT_NODE) && (cur->type != XML_DTD_NODE)) {
- cur->extra |= NODE_IS_PRESERVED;
- cur->extra |= NODE_IS_SPRESERVED;
+ XML_NODE_ADD_EXTRA(cur, NODE_IS_PRESERVED);
+ XML_NODE_ADD_EXTRA(cur, NODE_IS_SPRESERVED);
}
reader->preserves++;
parent = cur->parent;;
while (parent != NULL) {
if (parent->type == XML_ELEMENT_NODE)
- parent->extra |= NODE_IS_PRESERVED;
+ XML_NODE_ADD_EXTRA(parent, NODE_IS_PRESERVED);
parent = parent->parent;
}
return(cur);
Index: libxml2-2.9.4/xmlschemastypes.c
===================================================================
--- libxml2-2.9.4.orig/xmlschemastypes.c
+++ libxml2-2.9.4/xmlschemastypes.c
@@ -2755,7 +2755,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
/*
* NOTE: the IDness might have already be declared in the DTD
*/
- if (attr->atype != XML_ATTRIBUTE_ID) {
+ if (XML_ATTR_GET_ATYPE(attr) != XML_ATTRIBUTE_ID) {
xmlIDPtr res;
xmlChar *strip;
@@ -2793,7 +2793,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
xmlFree(strip);
} else
xmlAddRef(NULL, node->doc, value, attr);
- attr->atype = XML_ATTRIBUTE_IDREF;
+ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_IDREF);
}
goto done;
case XML_SCHEMAS_IDREFS:
@@ -2807,7 +2807,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
(node->type == XML_ATTRIBUTE_NODE)) {
xmlAttrPtr attr = (xmlAttrPtr) node;
- attr->atype = XML_ATTRIBUTE_IDREFS;
+ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_IDREFS);
}
goto done;
case XML_SCHEMAS_ENTITY:{
@@ -2838,7 +2838,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
(node->type == XML_ATTRIBUTE_NODE)) {
xmlAttrPtr attr = (xmlAttrPtr) node;
- attr->atype = XML_ATTRIBUTE_ENTITY;
+ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ENTITY);
}
goto done;
}
@@ -2855,7 +2855,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr
(node->type == XML_ATTRIBUTE_NODE)) {
xmlAttrPtr attr = (xmlAttrPtr) node;
- attr->atype = XML_ATTRIBUTE_ENTITIES;
+ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ENTITIES);
}
goto done;
case XML_SCHEMAS_NOTATION:{
Index: libxml2-2.9.4/xmlschemas.c
===================================================================
--- libxml2-2.9.4.orig/xmlschemas.c
+++ libxml2-2.9.4/xmlschemas.c
@@ -6005,7 +6005,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserC
/*
* NOTE: the IDness might have already be declared in the DTD
*/
- if (attr->atype != XML_ATTRIBUTE_ID) {
+ if (XML_ATTR_GET_ATYPE(attr) != XML_ATTRIBUTE_ID) {
xmlIDPtr res;
xmlChar *strip;
