[libxml2] Fix more NULL pointer derefs in xpointer.c

[Nick Wellnhofer <nwellnhof src gnome org>]

commit e905f08123e4a6e7731549e6f09dadff4cab65bd
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sun Jun 26 12:38:28 2016 +0200

    Fix more NULL pointer derefs in xpointer.c
    
    Found with afl-fuzz.

 xpointer.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)
---
diff --git a/xpointer.c b/xpointer.c
index 694d120..e643ee9 100644
--- a/xpointer.c
+++ b/xpointer.c
@@ -542,7 +542,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
            /*
             * Empty set ...
             */
-           if (end->nodesetval->nodeNr <= 0)
+           if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0))
                return(NULL);
            endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
            endIndex = -1;
@@ -1361,7 +1361,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) {
                     */
                    xmlNodeSetPtr set;
                    set = tmp->nodesetval;
-                   if ((set->nodeNr != 1) ||
+                   if ((set == NULL) || (set->nodeNr != 1) ||
                        (set->nodeTab[0] != (xmlNodePtr) ctx->doc))
                        stack++;
                } else
@@ -2034,9 +2034,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
        xmlXPathFreeObject(set);
         XP_ERROR(XPATH_MEMORY_ERROR);
     }
-    for (i = 0;i < oldset->locNr;i++) {
-       xmlXPtrLocationSetAdd(newset,
-               xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
+    if (oldset != NULL) {
+        for (i = 0;i < oldset->locNr;i++) {
+            xmlXPtrLocationSetAdd(newset,
+                    xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
+        }
     }
 
     /*