DO NOT MERGE: Fix XPointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

Bug: 36554209
Change-Id: I2bd369290a884c432d16796884d48db6285f8502
3 files changed
tree: e8a5ee37b7b91310898fca763069c88fa3fbec4d
  1. bakefile/
  2. doc/
  3. example/
  4. include/
  5. macos/
  6. optim/
  7. os400/
  8. python/
  9. result/
  10. test/
  11. vms/
  12. VxWorks/
  13. win32/
  14. xstc/
  15. .gitignore
  16. acinclude.m4
  17. Android.mk
  18. AUTHORS
  19. autogen.sh
  20. buf.c
  21. buf.h
  22. build_glob.py
  23. c14n.c
  24. catalog.c
  25. ChangeLog
  26. check-relaxng-test-suite.py
  27. check-relaxng-test-suite2.py
  28. check-xinclude-test-suite.py
  29. check-xml-test-suite.py
  30. check-xsddata-test-suite.py
  31. chvalid.c
  32. chvalid.def
  33. CleanSpec.mk
  34. config.h
  35. configure.ac
  36. Copyright
  37. dbgen.pl
  38. dbgenattr.pl
  39. debugXML.c
  40. dict.c
  41. DOCBparser.c
  42. elfgcchack.h
  43. enc.h
  44. encoding.c
  45. entities.c
  46. error.c
  47. genChRanges.py
  48. gentest.py
  49. genUnicode.py
  50. global.data
  51. globals.c
  52. HACKING
  53. hash.c
  54. INSTALL.libxml2
  55. legacy.c
  56. libxml-2.0-uninstalled.pc.in
  57. libxml-2.0.pc.in
  58. libxml.3
  59. libxml.h
  60. libxml.m4
  61. libxml.spec.in
  62. libxml2-config.cmake.in
  63. libxml2.doap
  64. libxml2.syms
  65. list.c
  66. MAINTAINERS
  67. Makefile.am
  68. Makefile.tests
  69. Makefile.win
  70. MODULE_LICENSE_MIT
  71. nanoftp.c
  72. nanohttp.c
  73. NEWS
  74. parser.c
  75. parserInternals.c
  76. pattern.c
  77. README
  78. README.cvs-commits
  79. README.tests
  80. README.version
  81. regressions.py
  82. regressions.xml
  83. relaxng.c
  84. rngparser.c
  85. runsuite.c
  86. runtest.c
  87. runxmlconf.c
  88. save.h
  89. SAX.c
  90. SAX2.c
  91. schematron.c
  92. testapi.c
  93. testAutomata.c
  94. testC14N.c
  95. testchar.c
  96. testdict.c
  97. testdso.c
  98. testHTML.c
  99. testlimits.c
  100. testModule.c
  101. testOOM.c
  102. testOOMlib.c
  103. testOOMlib.h
  104. testReader.c
  105. testrecurse.c
  106. testRegexp.c
  107. testRelax.c
  108. testSAX.c
  109. testSchemas.c
  110. testThreads.c
  111. testThreadsWin32.c
  112. testURI.c
  113. testXPath.c
  114. threads.c
  115. timsort.h
  116. TODO
  117. TODO_SCHEMAS
  118. tree.c
  119. trio.c
  120. trio.h
  121. triodef.h
  122. trionan.c
  123. trionan.h
  124. triop.h
  125. triostr.c
  126. triostr.h
  127. uri.c
  128. valid.c
  129. xinclude.c
  130. xlink.c
  131. xml2-config.1
  132. xml2-config.in
  133. xml2Conf.sh.in
  134. xmlcatalog.c
  135. xmlIO.c
  136. xmllint.c
  137. xmlmemory.c
  138. xmlmodule.c
  139. xmlreader.c
  140. xmlregexp.c
  141. xmlsave.c
  142. xmlschemas.c
  143. xmlschemastypes.c
  144. xmlstring.c
  145. xmlunicode.c
  146. xmlwriter.c
  147. xpath.c
  148. xpointer.c
  149. xzlib.c
  150. xzlib.h