diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2016-06-28 14:22:23 +0200 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2016-10-12 13:12:18 +0200 |
commit | 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (patch) | |
tree | 7980ec57bddb64fcb54cae0e0dfd19a4d7330139 /xpath.c | |
parent | a005199330b86dada19d162cae15ef9bdcb6baa8 (diff) | |
download | libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.gz |
Fix XPointer paths beginning with range-to
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.
The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.
Found with afl-fuzz.
Fixes CVE-2016-5131.
Diffstat (limited to 'xpath.c')
-rw-r--r-- | xpath.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { lc = 1; break; } else if ((NXT(len) == '(')) { - /* Note Type or Function */ + /* Node Type or Function */ if (xmlXPathIsNodeType(name)) { #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, "PathExpr: Type search\n"); #endif lc = 1; +#ifdef LIBXML_XPTR_ENABLED + } else if (ctxt->xptr && + xmlStrEqual(name, BAD_CAST "range-to")) { + lc = 1; +#endif } else { #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, |