Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> * xmlregexp.c: (xmlFAParseCharRange): Only advance to the next character if there is no error. Advancing to the next character in case of an error while parsing regexp leads to an out of bounds access.

commit: cbb271655cadeb8dbb258a64701d9a3a0c4835b4 [log] [tgz]
author: Pranjal Jumde <pjumde@apple.com> Mon Mar 07 06:34:26 2016 -0800
committer: Daniel Veillard <veillard@redhat.com> Mon May 23 15:01:07 2016 +0800
tree: c500b5ca66cff84dba03bfb021855b853aaf7ff4
parent: 40fd6d2a1b9dfc8ef5b428c9df7bdcb3398d6bd3 [diff]
diff --git a/xmlregexp.c b/xmlregexp.c
index 727fef4..ca3b4f4 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c

@@ -5057,11 +5057,12 @@
 	ERROR("Expecting the end of a char range");
 	return;
     }
-    NEXTL(len);
+
     /* TODO check that the values are acceptable character ranges for XML */
     if (end < start) {
 	ERROR("End of range is before start of range");
     } else {
+        NEXTL(len);
         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
 		           XML_REGEXP_CHARVAL, start, end, NULL);
     }
commit	cbb271655cadeb8dbb258a64701d9a3a0c4835b4	[log] [tgz]
author	Pranjal Jumde <pjumde@apple.com>	Mon Mar 07 06:34:26 2016 -0800
committer	Daniel Veillard <veillard@redhat.com>	Mon May 23 15:01:07 2016 +0800
tree	c500b5ca66cff84dba03bfb021855b853aaf7ff4
parent	40fd6d2a1b9dfc8ef5b428c9df7bdcb3398d6bd3 [diff]