mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2025-10-27 12:15:34 +03:00
9ab01a277d
The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.
4 lines
126 B
Plaintext
4 lines
126 B
Plaintext
xpointer(id('chapter1')/p)
|
|
xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
|
|
xpointer(range-to(id('chapter2')))
|