Bug#529634: libxml2: buggy string-range() XPointer function

[Jakub Wilk]

Package: libxml2
Version: 2.7.3.dfsg-1
Severity: normal
I discovered several flaws in the string-range() XPointer function 
implementation. See http://www.w3.org/TR/xptr-xpointer/#stringrange for 
the specification.


1. Some edge cases fail:

$ ./test-xpointer '<a>xyzw</a>' "string-range(/a, 'xy', 1, 4)"
-:2: element include: XInclude error : XPointer evaluation failed: 
#xpointer(string-range(/a, 'xy', 1, 4))
-:2: element include: XInclude error : could not load /tmp/tmp.XXXXWeW45c, and 
no fallback was found
<?xml version="1.0"?>
<root><include xmlns="http://www.w3.org/2003/XInclude"; href="/tmp/tmp.XXXXWeW45c" 
xpointer="xpointer(string-range(/a, 'xy', 1, 4))"/></root>

$ ./test-xpointer '<a>xyzw</a>' "string-range(/a, 'xy', 1, 3)"
-:2: element include: XInclude error : XPointer evaluation failed: 
#xpointer(string-range(/a, 'xy', 1, 3))
-:2: element include: XInclude error : could not load /tmp/tmp.XXXXdTlLwI, and 
no fallback was found
<?xml version="1.0"?>
<root><include xmlns="http://www.w3.org/2003/XInclude"; href="/tmp/tmp.XXXXdTlLwI" 
xpointer="xpointer(string-range(/a, 'xy', 1, 3))"/></root>


2. Returned strings are typically one character longer than requested:

$ ./test-xpointer '<a>xyzw</a>' "string-range(/a, 'xy', 1, 2)"
<?xml version="1.0"?>
<root>xyz</root>


3. Searching for a single-character string triggers an infinite loop:

$ ./test-xpointer '<a>xyzw</a>' "string-range(/a, 'x')"


4. Character counting is broken for non-ASCII characters:

$ ./test-xpointer '<a>żółw</a>' "string-range(/a, 'żółw', 1, 4)"
<?xml version="1.0"?>
<root>&#x17C;&#xF3;</root>


-- System Information:
Debian Release: squeeze/sid
    APT prefers unstable
    APT policy: (900, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libxml2 depends on:
ii  libc6                  2.9-12            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.12       XML infrastructure and XML catalog

libxml2 suggests no packages.

-- no debconf information

--
Jakub Wilk
#!/bin/sh
if [ $# -ne 2 ]
then
  echo "Usage: $0 <xml> <xpointer>" >&2
  exit 1
fi
xml=$1
xpointer=$2
tmpxml=`mktemp -t` || exit 1
echo "$xml" > "$tmpxml"
cat <<EOF | xmllint --xinclude -
<root>\
<include xmlns="http://www.w3.org/2003/XInclude";
href="$tmpxml" xpointer="xpointer($xpointer)"/>\
</root>
EOF
rm -f "$tmpxml"