From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Mon, 7 Mar 2016 06:34:26 -0800
Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
 <https://bugzilla.gnome.org/show_bug.cgi?id=757711>

* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error.  Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.

Upstream-Status: Backport
CVE: CVE-2016-1840
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 xmlregexp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: libxml2-2.9.2/xmlregexp.c
===================================================================
--- libxml2-2.9.2.orig/xmlregexp.c
+++ libxml2-2.9.2/xmlregexp.c
@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
 	ERROR("Expecting the end of a char range");
 	return;
     }
-    NEXTL(len);
+
     /* TODO check that the values are acceptable character ranges for XML */
     if (end < start) {
 	ERROR("End of range is before start of range");
     } else {
+        NEXTL(len);
         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
 		           XML_REGEXP_CHARVAL, start, end, NULL);
     }