DO NOT MERGE: Disallow namespace nodes in XPointer ranges

Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.

Found with afl-fuzz.

Fixes CVE-2016-4658.

Bug: 36554207
Change-Id: Ie570c4a53ae8ca82ed4ca19701ab7d8ba9b0468f
(cherry picked from commit cde4b40a9c17aec816c6b2577250fff9354a6f3c)
1 file changed
tree: 4429dedea0c3e78570da6c646ed5b55e55e1771c
  1. VxWorks/
  2. bakefile/
  3. doc/
  4. example/
  5. include/
  6. macos/
  7. optim/
  8. os400/
  9. python/
  10. result/
  11. test/
  12. vms/
  13. win32/
  14. xstc/
  15. .gitignore
  16. AUTHORS
  17. Android.mk
  18. ChangeLog
  19. CleanSpec.mk
  20. Copyright
  21. DOCBparser.c
  22. HACKING
  23. INSTALL.libxml2
  24. MAINTAINERS
  25. MODULE_LICENSE_MIT
  26. Makefile.am
  27. Makefile.tests
  28. Makefile.win
  29. NEWS
  30. README
  31. README.cvs-commits
  32. README.tests
  33. README.version
  34. SAX.c
  35. SAX2.c
  36. TODO
  37. TODO_SCHEMAS
  38. acinclude.m4
  39. autogen.sh
  40. buf.c
  41. buf.h
  42. build_glob.py
  43. c14n.c
  44. catalog.c
  45. check-relaxng-test-suite.py
  46. check-relaxng-test-suite2.py
  47. check-xinclude-test-suite.py
  48. check-xml-test-suite.py
  49. check-xsddata-test-suite.py
  50. chvalid.c
  51. chvalid.def
  52. config.h
  53. configure.ac
  54. dbgen.pl
  55. dbgenattr.pl
  56. debugXML.c
  57. dict.c
  58. elfgcchack.h
  59. enc.h
  60. encoding.c
  61. entities.c
  62. error.c
  63. genChRanges.py
  64. genUnicode.py
  65. gentest.py
  66. global.data
  67. globals.c
  68. hash.c
  69. legacy.c
  70. libxml-2.0-uninstalled.pc.in
  71. libxml-2.0.pc.in
  72. libxml.3
  73. libxml.h
  74. libxml.m4
  75. libxml.spec.in
  76. libxml2-config.cmake.in
  77. libxml2.doap
  78. libxml2.syms
  79. list.c
  80. nanoftp.c
  81. nanohttp.c
  82. parser.c
  83. parserInternals.c
  84. pattern.c
  85. regressions.py
  86. regressions.xml
  87. relaxng.c
  88. rngparser.c
  89. runsuite.c
  90. runtest.c
  91. runxmlconf.c
  92. save.h
  93. schematron.c
  94. testAutomata.c
  95. testC14N.c
  96. testHTML.c
  97. testModule.c
  98. testOOM.c
  99. testOOMlib.c
  100. testOOMlib.h
  101. testReader.c
  102. testRegexp.c
  103. testRelax.c
  104. testSAX.c
  105. testSchemas.c
  106. testThreads.c
  107. testThreadsWin32.c
  108. testURI.c
  109. testXPath.c
  110. testapi.c
  111. testchar.c
  112. testdict.c
  113. testdso.c
  114. testlimits.c
  115. testrecurse.c
  116. threads.c
  117. timsort.h
  118. tree.c
  119. trio.c
  120. trio.h
  121. triodef.h
  122. trionan.c
  123. trionan.h
  124. triop.h
  125. triostr.c
  126. triostr.h
  127. uri.c
  128. valid.c
  129. xinclude.c
  130. xlink.c
  131. xml2-config.1
  132. xml2-config.in
  133. xml2Conf.sh.in
  134. xmlIO.c
  135. xmlcatalog.c
  136. xmllint.c
  137. xmlmemory.c
  138. xmlmodule.c
  139. xmlreader.c
  140. xmlregexp.c
  141. xmlsave.c
  142. xmlschemas.c
  143. xmlschemastypes.c
  144. xmlstring.c
  145. xmlunicode.c
  146. xmlwriter.c
  147. xpath.c
  148. xpointer.c
  149. xzlib.c
  150. xzlib.h