Bugs in xmlXPathEvalExpr and xmlXPtrRangeToFunction can lead to a use-after-free and allow control of the instruction pointer.
Bugs in xmlXPathEvalExpr and xmlXPtrRangeToFunction can lead to a use-after-free and allow control of the instruction pointer.
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e https://bugs.chromium.org/p/chromium/issues/detail?id=623378