nokogiri 1.16.7 → 1.18.9

data/patches/libxml2/0019-xpath-Use-separate-static-hash-table-for-standard-fu.patch

@@ -0,0 +1,244 @@
+From d3e3526111097560cf7c002613e2cb1d469b59e0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 21 Dec 2024 16:03:46 +0100
+Subject: [PATCH] xpath: Use separate static hash table for standard functions
+
+This avoids registering standard functions when creating an XPath
+context.
+
+Lookup of extension functions is a bit slower now, but ultimately, all
+function lookups should be moved to the compilation phase.
+
+(cherry picked from commit bf5fcf6e646bb51a0f6a3655a1d64bea97274867)
+---
+ xpath.c | 170 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 98 insertions(+), 72 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 485d7747..21711653 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -136,11 +136,48 @@
+ 
+ #if defined(LIBXML_XPATH_ENABLED) || defined(LIBXML_SCHEMAS_ENABLED)
+ 
+-/************************************************************************
+- *									*
+- *			Floating point stuff				*
+- *									*
+- ************************************************************************/
++static void
++xmlXPathNameFunction(xmlXPathParserContextPtr ctxt, int nargs);
++
++static const struct {
++    const char *name;
++    xmlXPathFunction func;
++} xmlXPathStandardFunctions[] = {
++    { "boolean", xmlXPathBooleanFunction },
++    { "ceiling", xmlXPathCeilingFunction },
++    { "count", xmlXPathCountFunction },
++    { "concat", xmlXPathConcatFunction },
++    { "contains", xmlXPathContainsFunction },
++    { "id", xmlXPathIdFunction },
++    { "false", xmlXPathFalseFunction },
++    { "floor", xmlXPathFloorFunction },
++    { "last", xmlXPathLastFunction },
++    { "lang", xmlXPathLangFunction },
++    { "local-name", xmlXPathLocalNameFunction },
++    { "not", xmlXPathNotFunction },
++    { "name", xmlXPathNameFunction },
++    { "namespace-uri", xmlXPathNamespaceURIFunction },
++    { "normalize-space", xmlXPathNormalizeFunction },
++    { "number", xmlXPathNumberFunction },
++    { "position", xmlXPathPositionFunction },
++    { "round", xmlXPathRoundFunction },
++    { "string", xmlXPathStringFunction },
++    { "string-length", xmlXPathStringLengthFunction },
++    { "starts-with", xmlXPathStartsWithFunction },
++    { "substring", xmlXPathSubstringFunction },
++    { "substring-before", xmlXPathSubstringBeforeFunction },
++    { "substring-after", xmlXPathSubstringAfterFunction },
++    { "sum", xmlXPathSumFunction },
++    { "true", xmlXPathTrueFunction },
++    { "translate", xmlXPathTranslateFunction }
++};
++
++#define NUM_STANDARD_FUNCTIONS \
++    (sizeof(xmlXPathStandardFunctions) / sizeof(xmlXPathStandardFunctions[0]))
++
++#define SF_HASH_SIZE 64
++
++static unsigned char xmlXPathSFHash[SF_HASH_SIZE];
+ 
+ double xmlXPathNAN = 0.0;
+ double xmlXPathPINF = 0.0;
+@@ -156,6 +193,18 @@ xmlXPathInit(void) {
+     xmlInitParser();
+ }
+ 
++ATTRIBUTE_NO_SANITIZE_INTEGER
++static unsigned
++xmlXPathSFComputeHash(const xmlChar *name) {
++    unsigned hashValue = 5381;
++    const xmlChar *ptr;
++
++    for (ptr = name; *ptr; ptr++)
++        hashValue = hashValue * 33 + *ptr;
++
++    return(hashValue);
++}
++
+ /**
+  * xmlInitXPathInternal:
+  *
+@@ -164,6 +213,8 @@ xmlXPathInit(void) {
+ ATTRIBUTE_NO_SANITIZE("float-divide-by-zero")
+ void
+ xmlInitXPathInternal(void) {
++    size_t i;
++
+ #if defined(NAN) && defined(INFINITY)
+     xmlXPathNAN = NAN;
+     xmlXPathPINF = INFINITY;
+@@ -175,8 +226,34 @@ xmlInitXPathInternal(void) {
+     xmlXPathPINF = 1.0 / zero;
+     xmlXPathNINF = -xmlXPathPINF;
+ #endif
++
++    /*
++     * Initialize hash table for standard functions
++     */
++
++    for (i = 0; i < SF_HASH_SIZE; i++)
++        xmlXPathSFHash[i] = UCHAR_MAX;
++
++    for (i = 0; i < NUM_STANDARD_FUNCTIONS; i++) {
++        const char *name = xmlXPathStandardFunctions[i].name;
++        int bucketIndex = xmlXPathSFComputeHash(BAD_CAST name) % SF_HASH_SIZE;
++
++        while (xmlXPathSFHash[bucketIndex] != UCHAR_MAX) {
++            bucketIndex += 1;
++            if (bucketIndex >= SF_HASH_SIZE)
++                bucketIndex = 0;
++        }
++
++        xmlXPathSFHash[bucketIndex] = i;
++    }
+ }
+ 
++/************************************************************************
++ *									*
++ *			Floating point stuff				*
++ *									*
++ ************************************************************************/
++
+ /**
+  * xmlXPathIsNaN:
+  * @val:  a double value
+@@ -3979,18 +4056,6 @@ xmlXPathRegisterFuncLookup (xmlXPathContextPtr ctxt,
+  */
+ xmlXPathFunction
+ xmlXPathFunctionLookup(xmlXPathContextPtr ctxt, const xmlChar *name) {
+-    if (ctxt == NULL)
+-	return (NULL);
+-
+-    if (ctxt->funcLookupFunc != NULL) {
+-	xmlXPathFunction ret;
+-	xmlXPathFuncLookupFunc f;
+-
+-	f = ctxt->funcLookupFunc;
+-	ret = f(ctxt->funcLookupData, name, NULL);
+-	if (ret != NULL)
+-	    return(ret);
+-    }
+     return(xmlXPathFunctionLookupNS(ctxt, name, NULL));
+ }
+ 
+@@ -4015,6 +4080,22 @@ xmlXPathFunctionLookupNS(xmlXPathContextPtr ctxt, const xmlChar *name,
+     if (name == NULL)
+ 	return(NULL);
+ 
++    if (ns_uri == NULL) {
++        int bucketIndex = xmlXPathSFComputeHash(name) % SF_HASH_SIZE;
++
++        while (xmlXPathSFHash[bucketIndex] != UCHAR_MAX) {
++            int funcIndex = xmlXPathSFHash[bucketIndex];
++
++            if (strcmp(xmlXPathStandardFunctions[funcIndex].name,
++                       (char *) name) == 0)
++                return(xmlXPathStandardFunctions[funcIndex].func);
++
++            bucketIndex += 1;
++            if (bucketIndex >= SF_HASH_SIZE)
++                bucketIndex = 0;
++        }
++    }
++
+     if (ctxt->funcLookupFunc != NULL) {
+ 	xmlXPathFuncLookupFunc f;
+ 
+@@ -13494,61 +13575,6 @@ xmlXPathEscapeUriFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ void
+ xmlXPathRegisterAllFunctions(xmlXPathContextPtr ctxt)
+ {
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"boolean",
+-                         xmlXPathBooleanFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"ceiling",
+-                         xmlXPathCeilingFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"count",
+-                         xmlXPathCountFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"concat",
+-                         xmlXPathConcatFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"contains",
+-                         xmlXPathContainsFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"id",
+-                         xmlXPathIdFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"false",
+-                         xmlXPathFalseFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"floor",
+-                         xmlXPathFloorFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"last",
+-                         xmlXPathLastFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"lang",
+-                         xmlXPathLangFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"local-name",
+-                         xmlXPathLocalNameFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"not",
+-                         xmlXPathNotFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"name",
+-                         xmlXPathNameFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"namespace-uri",
+-                         xmlXPathNamespaceURIFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"normalize-space",
+-                         xmlXPathNormalizeFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"number",
+-                         xmlXPathNumberFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"position",
+-                         xmlXPathPositionFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"round",
+-                         xmlXPathRoundFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"string",
+-                         xmlXPathStringFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"string-length",
+-                         xmlXPathStringLengthFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"starts-with",
+-                         xmlXPathStartsWithFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"substring",
+-                         xmlXPathSubstringFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"substring-before",
+-                         xmlXPathSubstringBeforeFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"substring-after",
+-                         xmlXPathSubstringAfterFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"sum",
+-                         xmlXPathSumFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"true",
+-                         xmlXPathTrueFunction);
+-    xmlXPathRegisterFunc(ctxt, (const xmlChar *)"translate",
+-                         xmlXPathTranslateFunction);
+-
+     xmlXPathRegisterFuncNS(ctxt, (const xmlChar *)"escape-uri",
+ 	 (const xmlChar *)"http://www.w3.org/2002/08/xquery-functions",
+                          xmlXPathEscapeUriFunction);
+-- 
+2.47.1
+

data/patches/libxml2/0020-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQ.patch

@@ -0,0 +1,54 @@
+From 17d950ae33c23f87692aa179bacedb6743f3188a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH 5/9] [CVE-2025-6021] tree: Fix integer overflow in
+ xmlBuildQName
+
+Fixes #926.
+---
+ tree.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index f097cf87..5bc95b8a 100644
+--- a/tree.c
++++ b/tree.c
+@@ -47,6 +47,10 @@
+ #include "private/error.h"
+ #include "private/tree.h"
+ 
++#ifndef SIZE_MAX
++  #define SIZE_MAX ((size_t)-1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+ 
+ /************************************************************************
+@@ -167,10 +171,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -181,8 +185,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL)
+ 	    return(NULL);
+-- 
+2.50.1
+

data/patches/libxml2/0021-CVE-2025-6170-Fix-potential-buffer-overflows-of-inte.patch

@@ -0,0 +1,102 @@
+From 5e9ec5c107d3f5b5179c3dbc19df43df041cd55b Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Fri, 20 Jun 2025 23:05:00 -0400
+Subject: [PATCH 6/9] [CVE-2025-6170] Fix potential buffer overflows of
+ interactive shell
+
+Fixes #941
+---
+ debugXML.c                       | 15 ++++++++++-----
+ result/scripts/long_command      |  8 ++++++++
+ test/scripts/long_command.script |  6 ++++++
+ test/scripts/long_command.xml    |  1 +
+ 4 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 result/scripts/long_command
+ create mode 100644 test/scripts/long_command.script
+ create mode 100644 test/scripts/long_command.xml
+
+diff --git a/debugXML.c b/debugXML.c
+index ed56b0f8..452b9573 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -1033,6 +1033,10 @@ xmlCtxtDumpOneNode(xmlDebugCtxtPtr ctxt, xmlNodePtr node)
+     xmlCtxtGenericNodeCheck(ctxt, node);
+ }
+ 
++#define MAX_PROMPT_SIZE     500
++#define MAX_ARG_SIZE        400
++#define MAX_COMMAND_SIZE    100
++
+ /**
+  * xmlCtxtDumpNode:
+  * @output:  the FILE * for the output
+@@ -2795,10 +2799,10 @@ void
+ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+          FILE * output)
+ {
+-    char prompt[500] = "/ > ";
++    char prompt[MAX_PROMPT_SIZE] = "/ > ";
+     char *cmdline = NULL, *cur;
+-    char command[100];
+-    char arg[400];
++    char command[MAX_COMMAND_SIZE];
++    char arg[MAX_ARG_SIZE];
+     int i;
+     xmlShellCtxtPtr ctxt;
+     xmlXPathObjectPtr list;
+@@ -2856,7 +2860,8 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+             cur++;
+         i = 0;
+         while ((*cur != ' ') && (*cur != '\t') &&
+-               (*cur != '\n') && (*cur != '\r')) {
++               (*cur != '\n') && (*cur != '\r') &&
++               (i < (MAX_COMMAND_SIZE - 1))) {
+             if (*cur == 0)
+                 break;
+             command[i++] = *cur++;
+@@ -2871,7 +2876,7 @@ xmlShell(xmlDocPtr doc, const char *filename, xmlShellReadlineFunc input,
+         while ((*cur == ' ') || (*cur == '\t'))
+             cur++;
+         i = 0;
+-        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) {
++        while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) {
+             if (*cur == 0)
+                 break;
+             arg[i++] = *cur++;
+diff --git a/result/scripts/long_command b/result/scripts/long_command
+new file mode 100644
+index 00000000..e6f00708
+--- /dev/null
++++ b/result/scripts/long_command
+@@ -0,0 +1,8 @@
++/ > b > b > Object is a Node Set :
++Set contains 1 nodes:
++1  ELEMENT a:c
++b > Unknown command This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_comm
++b > b > Unknown command ess_currents_of_time_and_existence
++b > <?xml version="1.0"?>
++<a xmlns:a="bar"><b xmlns:a="foo">Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_prof</b></a>
++b > 
+
+diff --git a/test/scripts/long_command.script b/test/scripts/long_command.script
+new file mode 100644
+index 00000000..00f6df09
+--- /dev/null
++++ b/test/scripts/long_command.script
+@@ -0,0 +1,6 @@
++cd a/b
++set <a:c/>
++xpath //*[namespace-uri()="foo"]
++This_is_a_really_long_command_string_designed_to_test_the_limits_of_the_memory_that_stores_the_command_please_dont_crash foo
++set Navigating_the_labyrinthine_corridors_of_human_cognition_one_often_encounters_the_perplexing_paradox_that_the_more_we_delve_into_the_intricate_dance_of_neural_pathways_and_synaptic_firings_the_further_we_seem_to_stray_from_a_truly_holistic_understanding_of_consciousness_a_phenomenon_that_remains_as_elusive_as_a_moonbeam_caught_in_a_spiderweb_yet_undeniably_shapes_every_fleeting_thought_every_profound_emotion_and_every_grand_aspiration_that_propels_our_species_ever_onward_through_the_relentless_currents_of_time_and_existence
++save -
+diff --git a/test/scripts/long_command.xml b/test/scripts/long_command.xml
+new file mode 100644
+index 00000000..1ba44016
+--- /dev/null
++++ b/test/scripts/long_command.xml
+@@ -0,0 +1 @@
++<a xmlns:a="bar"><b xmlns:a="foo"/></a>
+-- 
+2.50.1
+

data/patches/libxml2/0022-CVE-2025-49795-schematron-Fix-null-pointer-dereferen.patch

@@ -0,0 +1,69 @@
+From 62048278a4c5fdf14d287dfb400005c0a0caa69f Mon Sep 17 00:00:00 2001
+From: Michael Mann <mmann78@netscape.net>
+Date: Sat, 21 Jun 2025 12:11:30 -0400
+Subject: [PATCH 7/9] [CVE-2025-49795] schematron: Fix null pointer dereference
+ leading to DoS
+
+Fixes #932
+---
+ result/schematron/zvon16_0.err | 3 +++
+ schematron.c                   | 5 +++++
+ test/schematron/zvon16.sct     | 7 +++++++
+ test/schematron/zvon16_0.xml   | 5 +++++
+ 4 files changed, 20 insertions(+)
+ create mode 100644 result/schematron/zvon16_0.err
+ create mode 100644 test/schematron/zvon16.sct
+ create mode 100644 test/schematron/zvon16_0.xml
+
+diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
+new file mode 100644
+index 00000000..3d052409
+--- /dev/null
++++ b/result/schematron/zvon16_0.err
+@@ -0,0 +1,3 @@
++XPath error : Unregistered function
++./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book 
++./test/schematron/zvon16_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index 1de25deb..da603402 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1506,6 +1506,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             select = xmlGetNoNsProp(child, BAD_CAST "select");
+             comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
+             eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
++            if (eval == NULL) {
++                xmlXPathFreeCompExpr(comp);
++                xmlFree(select);
++                return ret;
++            }
+ 
+             switch (eval->type) {
+             case XPATH_NODESET: {
+diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
+new file mode 100644
+index 00000000..f03848aa
+--- /dev/null
++++ b/test/schematron/zvon16.sct
+@@ -0,0 +1,7 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++	<sch:pattern id="TestPattern">
++		<sch:rule context="book">
++			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
++		</sch:rule>
++	</sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
+new file mode 100644
+index 00000000..551e2d65
+--- /dev/null
++++ b/test/schematron/zvon16_0.xml
+@@ -0,0 +1,5 @@
++<library>
++	<book title="Test Book" id="bk101">
++		<author>Test Author</author>
++	</book>
++</library>
+-- 
+2.50.1
+

data/patches/libxml2/0023-CVE-2025-49794-CVE-2025-49796-schematron-Fix-xmlSche.patch

@@ -0,0 +1,182 @@
+From 81cef8c5b5aec2acdf5707e57a6db0c8d1d0abca Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH 8/9] [CVE-2025-49794] [CVE-2025-49796] schematron: Fix
+ xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Fixes #931.
+Fixes #933.
+---
+ result/schematron/cve-2025-49794_0.err |  2 ++
+ result/schematron/cve-2025-49796_0.err |  2 ++
+ schematron.c                           | 49 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++++
+ test/schematron/cve-2025-49794_0.xml   |  6 ++++
+ test/schematron/cve-2025-49796.sct     |  9 +++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 58 insertions(+), 23 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 00000000..57752310
+--- /dev/null
++++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 00000000..bf875ee0
+--- /dev/null
++++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index da603402..6e2ceeb7 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1414,27 +1414,15 @@ xmlSchematronParse(xmlSchematronParserCtxtPtr ctxt)
+  *                                                                      *
+  ************************************************************************/
+ 
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-        node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
++    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1480,25 +1468,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             (child->type == XML_CDATA_SECTION_NODE))
+             ret = xmlStrcat(ret, child->content);
+         else if (IS_SCHEMATRON(child, "name")) {
++            xmlXPathObject *obj = NULL;
+             xmlChar *path;
+ 
+             path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+             if (path != NULL) {
+-                node = xmlSchematronGetNode(ctxt, cur, path);
+-                if (node == NULL)
+-                    node = cur;
++                obj = xmlSchematronGetNode(ctxt, cur, path);
++                if ((obj != NULL) &&
++                    (obj->type == XPATH_NODESET) &&
++                    (obj->nodesetval != NULL) &&
++                    (obj->nodesetval->nodeNr > 0))
++                    node = obj->nodesetval->nodeTab[0];
+                 xmlFree(path);
+             }
+ 
+-            if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-                ret = xmlStrcat(ret, node->name);
+-            else {
+-                ret = xmlStrcat(ret, node->ns->prefix);
+-                ret = xmlStrcat(ret, BAD_CAST ":");
+-                ret = xmlStrcat(ret, node->name);
++            switch (node->type) {
++                case XML_ELEMENT_NODE:
++                case XML_ATTRIBUTE_NODE:
++                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
++                        ret = xmlStrcat(ret, node->name);
++                    else {
++                        ret = xmlStrcat(ret, node->ns->prefix);
++                        ret = xmlStrcat(ret, BAD_CAST ":");
++                        ret = xmlStrcat(ret, node->name);
++                    }
++                    break;
++
++                /* TODO: handle other node types */
++                default:
++                    break;
+             }
++
++            xmlXPathFreeObject(obj);
+         } else if (IS_SCHEMATRON(child, "value-of")) {
+             xmlChar *select;
+             xmlXPathObjectPtr eval;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 00000000..7fc9ee3d
+--- /dev/null
++++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="&#9;e|namespace::*|e"/>
++            </sch:report>
++            <sch:report test="0"></sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 00000000..debc64ba
+--- /dev/null
++++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
++<librar0>
++    <boo0 t="">
++        <author></author>
++    </boo0>
++    <ins></ins>
++</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 00000000..e9702d75
+--- /dev/null
++++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="/"/>
++            </sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 00000000..be33c4ec
+--- /dev/null
++++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
++<librar0>
++    <boo0/>
++</librar0>
+-- 
+2.50.1
+