[libxml2] Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 839689a9a85d81f722997d00ec17a36b17ce6731
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Apr 27 18:00:12 2016 +0200

    Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression
    
    The ch1 slot of OP_VALUEs contains an invalid value. Ignore it.
    
    Fixes bug #760325:
    
    https://bugzilla.gnome.org/show_bug.cgi?id=760325

 result/XPath/expr/base |    4 ++++
 test/XPath/expr/base   |    1 +
 xpath.c                |    4 ++++
 3 files changed, 9 insertions(+), 0 deletions(-)
---
diff --git a/result/XPath/expr/base b/result/XPath/expr/base
index d308a92..e04346f 100644
--- a/result/XPath/expr/base
+++ b/result/XPath/expr/base
@@ -20,5 +20,9 @@ Expression: (1+2)*(3+4)
 Object is a number : 21
 
 ========================
+Expression: 1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
+Object is a number : 21
+
+========================
 Expression: self::-name
 Object is empty (NULL)
diff --git a/test/XPath/expr/base b/test/XPath/expr/base
index 0be4871..f57e4d0 100644
--- a/test/XPath/expr/base
+++ b/test/XPath/expr/base
@@ -3,4 +3,5 @@
 2*3
 1+2*3+4
 (1+2)*(3+4)
+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
 self::-name
diff --git a/xpath.c b/xpath.c
index 6b92e7d..3924050 100644
--- a/xpath.c
+++ b/xpath.c
@@ -14786,6 +14786,10 @@ xmlXPathOptimizeExpression(xmlXPathCompExprPtr comp, xmlXPathStepOpPtr op)
        }
     }
 
+    /* OP_VALUE has invalid ch1. */
+    if (op->op == XPATH_OP_VALUE)
+        return;
+
     /* Recurse */
     if (op->ch1 != -1)
         xmlXPathOptimizeExpression(comp, &comp->steps[op->ch1]);