Fix XPointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2016-06-28 14:22:23 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2016-10-12 13:12:18 +0200
commit: 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (patch)
tree: 7980ec57bddb64fcb54cae0e0dfd19a4d7330139 /xpath.c
parent: a005199330b86dada19d162cae15ef9bdcb6baa8 (diff)
download: libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/xpath.c b/xpath.c
index d992841e..5a01b1b3 100644
--- a/xpath.c
+++ b/xpath.c
@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
 		    lc = 1;
 		    break;
 		} else if ((NXT(len) == '(')) {
-		    /* Note Type or Function */
+		    /* Node Type or Function */
 		    if (xmlXPathIsNodeType(name)) {
 #ifdef DEBUG_STEP
 		        xmlGenericError(xmlGenericErrorContext,
 				"PathExpr: Type search\n");
 #endif
 			lc = 1;
+#ifdef LIBXML_XPTR_ENABLED
+                    } else if (ctxt->xptr &&
+                               xmlStrEqual(name, BAD_CAST "range-to")) {
+                        lc = 1;
+#endif
 		    } else {
 #ifdef DEBUG_STEP
 		        xmlGenericError(xmlGenericErrorContext,
author	Nick Wellnhofer <wellnhofer@aevum.de>	2016-06-28 14:22:23 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2016-10-12 13:12:18 +0200
commit	9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e (patch)
tree	7980ec57bddb64fcb54cae0e0dfd19a4d7330139 /xpath.c
parent	a005199330b86dada19d162cae15ef9bdcb6baa8 (diff)
download	libxml2-9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e.tar.gz