Fix XPointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2016-06-28 14:22:23 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2016-10-12 13:12:18 +0200
commit: 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (patch)
tree: 7980ec57bddb64fcb54cae0e0dfd19a4d7330139 /result
parent: a005199330b86dada19d162cae15ef9bdcb6baa8 (diff)
download: platform_external_libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.gz
platform_external_libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.bz2
platform_external_libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
index 8b9e92d6..f19193e7 100644
--- a/result/XPath/xptr/vidbase
+++ b/result/XPath/xptr/vidbase
@@ -17,3 +17,16 @@ Object is a Location Set:
   To node
     ELEMENT p
 
+
+========================
+Expression: xpointer(range-to(id('chapter2')))
+Object is a Location Set:
+1 :   Object is a range :
+  From node
+     /
+  To node
+    ELEMENT chapter
+      ATTRIBUTE id
+        TEXT
+          content=chapter2
+
author	Nick Wellnhofer <wellnhofer@aevum.de>	2016-06-28 14:22:23 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2016-10-12 13:12:18 +0200
commit	9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (patch)
tree	7980ec57bddb64fcb54cae0e0dfd19a4d7330139 /result
parent	a005199330b86dada19d162cae15ef9bdcb6baa8 (diff)
download	platform_external_libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.gz platform_external_libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.bz2 platform_external_libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.zip