Commit d1af1e51 authored by Brian C. Young's avatar Brian C. Young
Browse files

DO NOT MERGE: Fix XPointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

Bug: 36554209
Change-Id: I2bd369290a884c432d16796884d48db6285f8502
parent 1d8878ba
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment