--- /dev/null
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error. Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1840
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.2/xmlregexp.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlregexp.c
++++ libxml2-2.9.2/xmlregexp.c
+@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
+ ERROR("Expecting the end of a char range");
+ return;
+ }
+- NEXTL(len);
++
+ /* TODO check that the values are acceptable character ranges for XML */
+ if (end < start) {
+ ERROR("End of range is before start of range");
+ } else {
++ NEXTL(len);
+ xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ XML_REGEXP_CHARVAL, start, end, NULL);
+ }
