DO NOT MERGE: Fix XPointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

Bug: 36554209
Change-Id: I2bd369290a884c432d16796884d48db6285f8502
(cherry picked from commit e875e1cd1fc92fd2daa57826024125cbd0b195c7)
3 files changed
tree: 143c8b6a1bab7e25e0857f4b4f9991bbe0349de6
  1. VxWorks/
  2. bakefile/
  3. doc/
  4. example/
  5. include/
  6. macos/
  7. optim/
  8. os400/
  9. python/
  10. result/
  11. test/
  12. vms/
  13. win32/
  14. xstc/
  15. .gitignore
  16. AUTHORS
  17. Android.mk
  18. ChangeLog
  19. CleanSpec.mk
  20. Copyright
  21. DOCBparser.c
  22. HACKING
  23. INSTALL.libxml2
  24. MAINTAINERS
  25. MODULE_LICENSE_MIT
  26. Makefile.am
  27. Makefile.tests
  28. Makefile.win
  29. NEWS
  30. README
  31. README.cvs-commits
  32. README.tests
  33. README.version
  34. SAX.c
  35. SAX2.c
  36. TODO
  37. TODO_SCHEMAS
  38. acinclude.m4
  39. autogen.sh
  40. buf.c
  41. buf.h
  42. build_glob.py
  43. c14n.c
  44. catalog.c
  45. check-relaxng-test-suite.py
  46. check-relaxng-test-suite2.py
  47. check-xinclude-test-suite.py
  48. check-xml-test-suite.py
  49. check-xsddata-test-suite.py
  50. chvalid.c
  51. chvalid.def
  52. config.h
  53. configure.ac
  54. dbgen.pl
  55. dbgenattr.pl
  56. debugXML.c
  57. dict.c
  58. elfgcchack.h
  59. enc.h
  60. encoding.c
  61. entities.c
  62. error.c
  63. genChRanges.py
  64. genUnicode.py
  65. gentest.py
  66. global.data
  67. globals.c
  68. hash.c
  69. legacy.c
  70. libxml-2.0-uninstalled.pc.in
  71. libxml-2.0.pc.in
  72. libxml.3
  73. libxml.h
  74. libxml.m4
  75. libxml.spec.in
  76. libxml2-config.cmake.in
  77. libxml2.doap
  78. libxml2.syms
  79. list.c
  80. nanoftp.c
  81. nanohttp.c
  82. parser.c
  83. parserInternals.c
  84. pattern.c
  85. regressions.py
  86. regressions.xml
  87. relaxng.c
  88. rngparser.c
  89. runsuite.c
  90. runtest.c
  91. runxmlconf.c
  92. save.h
  93. schematron.c
  94. testAutomata.c
  95. testC14N.c
  96. testHTML.c
  97. testModule.c
  98. testOOM.c
  99. testOOMlib.c
  100. testOOMlib.h
  101. testReader.c
  102. testRegexp.c
  103. testRelax.c
  104. testSAX.c
  105. testSchemas.c
  106. testThreads.c
  107. testThreadsWin32.c
  108. testURI.c
  109. testXPath.c
  110. testapi.c
  111. testchar.c
  112. testdict.c
  113. testdso.c
  114. testlimits.c
  115. testrecurse.c
  116. threads.c
  117. timsort.h
  118. tree.c
  119. trio.c
  120. trio.h
  121. triodef.h
  122. trionan.c
  123. trionan.h
  124. triop.h
  125. triostr.c
  126. triostr.h
  127. uri.c
  128. valid.c
  129. xinclude.c
  130. xlink.c
  131. xml2-config.1
  132. xml2-config.in
  133. xml2Conf.sh.in
  134. xmlIO.c
  135. xmlcatalog.c
  136. xmllint.c
  137. xmlmemory.c
  138. xmlmodule.c
  139. xmlreader.c
  140. xmlregexp.c
  141. xmlsave.c
  142. xmlschemas.c
  143. xmlschemastypes.c
  144. xmlstring.c
  145. xmlunicode.c
  146. xmlwriter.c
  147. xpath.c
  148. xpointer.c
  149. xzlib.c
  150. xzlib.h