DO NOT MERGE: Fix XPointer paths beginning with range-to The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131. FPIIM-797 FPIIM-796 Bug: 36554209 Change-Id: I2bd369290a884c432d16796884d48db6285f8502 (cherry picked from commit 574adc92c8710e0cd2ed41dbc6d66cc00cf3f5b9)

commit: 142c7c6fec45a60037dc0c07423f52658d9fd97d [log] [tgz]
author: Brian C. Young <bcyoung@google.com> Mon Apr 03 12:46:02 2017 -0700
committer: Maarten Derks <maarten@fairphone.com> Wed May 24 08:16:25 2017 +0000
tree: 06ad84b86961d7a2814eb9f73cd358f5ca320078
parent: 0dc8c63ffcf82c62962af6e0318a8fef97a8b512 [diff] [blame]
diff --git a/xpath.c b/xpath.c
index 751665b..67afbca 100644
--- a/xpath.c
+++ b/xpath.c

@@ -10691,13 +10691,18 @@
 		    lc = 1;
 		    break;
 		} else if ((NXT(len) == '(')) {
-		    /* Note Type or Function */
+		    /* Node Type or Function */
 		    if (xmlXPathIsNodeType(name)) {
 #ifdef DEBUG_STEP
 		        xmlGenericError(xmlGenericErrorContext,
 				"PathExpr: Type search\n");
 #endif
 			lc = 1;
+#ifdef LIBXML_XPTR_ENABLED
+                    } else if (ctxt->xptr &&
+                               xmlStrEqual(name, BAD_CAST "range-to")) {
+                        lc = 1;
+#endif
 		    } else {
 #ifdef DEBUG_STEP
 		        xmlGenericError(xmlGenericErrorContext,
commit	142c7c6fec45a60037dc0c07423f52658d9fd97d	[log] [tgz]
author	Brian C. Young <bcyoung@google.com>	Mon Apr 03 12:46:02 2017 -0700
committer	Maarten Derks <maarten@fairphone.com>	Wed May 24 08:16:25 2017 +0000
tree	06ad84b86961d7a2814eb9f73cd358f5ca320078
parent	0dc8c63ffcf82c62962af6e0318a8fef97a8b512 [diff] [blame]