Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / libxml2 / 574adc92c8710e0cd2ed41dbc6d66cc00cf3f5b9
commit574adc92c8710e0cd2ed41dbc6d66cc00cf3f5b9[log] [tgz]
authorBrian C. Young <bcyoung@google.com>Mon Apr 03 12:46:02 2017 -0700
committerBrian C. Young <bcyoung@google.com>Mon Apr 10 13:17:40 2017 -0700
tree9c9ed721cd4ce1ed70691d404b9444ad03bf0e7f
parent802cd32b480db799d282557ebbfddc1cf074be5f [diff]
DO NOT MERGE: Fix XPointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

Bug: 36554209
Change-Id: I2bd369290a884c432d16796884d48db6285f8502
3 files changed
tree: 9c9ed721cd4ce1ed70691d404b9444ad03bf0e7f
  1. bakefile/
  2. doc/
  3. example/
  4. include/
  5. macos/
  6. optim/
  7. os400/
  8. python/
  9. result/
  10. test/
  11. vms/
  12. VxWorks/
  13. win32/
  14. xstc/
  15. NOTICECopyright
  16. .gitignore
  17. acinclude.m4
  18. Android.mk
  19. AUTHORS
  20. autogen.sh
  21. buf.c
  22. buf.h
  23. build_glob.py
  24. c14n.c
  25. catalog.c
  26. ChangeLog
  27. check-relaxng-test-suite.py
  28. check-relaxng-test-suite2.py
  29. check-xinclude-test-suite.py
  30. check-xml-test-suite.py
  31. check-xsddata-test-suite.py
  32. chvalid.c
  33. chvalid.def
  34. CleanSpec.mk
  35. config.h
  36. configure.ac
  37. Copyright
  38. dbgen.pl
  39. dbgenattr.pl
  40. debugXML.c
  41. dict.c
  42. DOCBparser.c
  43. elfgcchack.h
  44. enc.h
  45. encoding.c
  46. entities.c
  47. error.c
  48. genChRanges.py
  49. gentest.py
  50. genUnicode.py
  51. global.data
  52. globals.c
  53. HACKING
  54. hash.c
  55. HTMLparser.c
  56. HTMLtree.c
  57. INSTALL.libxml2
  58. legacy.c
  59. libxml-2.0-uninstalled.pc.in
  60. libxml-2.0.pc.in
  61. libxml.3
  62. libxml.h
  63. libxml.m4
  64. libxml.spec.in
  65. libxml2-config.cmake.in
  66. libxml2.doap
  67. libxml2.syms
  68. list.c
  69. MAINTAINERS
  70. Makefile.am
  71. Makefile.tests
  72. Makefile.win
  73. MODULE_LICENSE_MIT
  74. nanoftp.c
  75. nanohttp.c
  76. NEWS
  77. parser.c
  78. parserInternals.c
  79. pattern.c
  80. README
  81. README.cvs-commits
  82. README.tests
  83. regressions.py
  84. regressions.xml
  85. relaxng.c
  86. rngparser.c
  87. runsuite.c
  88. runtest.c
  89. runxmlconf.c
  90. save.h
  91. SAX.c
  92. SAX2.c
  93. schematron.c
  94. testapi.c
  95. testAutomata.c
  96. testC14N.c
  97. testchar.c
  98. testdict.c
  99. testdso.c
  100. testHTML.c
  101. testlimits.c
  102. testModule.c
  103. testOOM.c
  104. testOOMlib.c
  105. testOOMlib.h
  106. testReader.c
  107. testrecurse.c
  108. testRegexp.c
  109. testRelax.c
  110. testSAX.c
  111. testSchemas.c
  112. testThreads.c
  113. testThreadsWin32.c
  114. testURI.c
  115. testXPath.c
  116. threads.c
  117. timsort.h
  118. TODO
  119. TODO_SCHEMAS
  120. tree.c
  121. trio.c
  122. trio.h
  123. triodef.h
  124. trionan.c
  125. trionan.h
  126. triop.h
  127. triostr.c
  128. triostr.h
  129. uri.c
  130. valid.c
  131. xinclude.c
  132. xlink.c
  133. xml2-config.1
  134. xml2-config.in
  135. xml2Conf.sh.in
  136. xmlcatalog.c
  137. xmlIO.c
  138. xmllint.c
  139. xmlmemory.c
  140. xmlmodule.c
  141. xmlreader.c
  142. xmlregexp.c
  143. xmlsave.c
  144. xmlschemas.c
  145. xmlschemastypes.c
  146. xmlstring.c
  147. xmlunicode.c
  148. xmlwriter.c
  149. xpath.c
  150. xpointer.c
  151. xzlib.c
  152. xzlib.h