1 https://sourceforge.net/p/expat/bugs/528/

     2 https://sourceforge.net/p/expat/code_git/ci/ba0f9c3b40c264b8dd392e02a7a060a8fa54f032/

     3 

     4 diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c

     5 index f35aa36..97ef730 100644

     6 --- a/expat/lib/xmlparse.c

     7 +++ b/expat/lib/xmlparse.c

     8 @@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)

     9  void * XMLCALL

    10  XML_GetBuffer(XML_Parser parser, int len)

    11  {

    12 +  if (len < 0) {

    13 +    errorCode = XML_ERROR_NO_MEMORY;

    14 +    return NULL;

    15 +  }

    16    switch (ps_parsing) {

    17    case XML_SUSPENDED:

    18      errorCode = XML_ERROR_SUSPENDED;

    19 @@ -1689,8 +1693,11 @@ XML_GetBuffer(XML_Parser parser, int len)

    20    }

    21  

    22    if (len > bufferLim - bufferEnd) {

    23 -    /* FIXME avoid integer overflow */

    24      int neededSize = len + (int)(bufferEnd - bufferPtr);

    25 +    if (neededSize < 0) {

    26 +      errorCode = XML_ERROR_NO_MEMORY;

    27 +      return NULL;

    28 +    }

    29  #ifdef XML_CONTEXT_BYTES

    30      int keep = (int)(bufferPtr - buffer);

    31  

    32 @@ -1719,7 +1726,11 @@ XML_GetBuffer(XML_Parser parser, int len)

    33          bufferSize = INIT_BUFFER_SIZE;

    34        do {

    35          bufferSize *= 2;

    36 -      } while (bufferSize < neededSize);

    37 +      } while (bufferSize < neededSize && bufferSize > 0);

    38 +      if (bufferSize <= 0) {

    39 +        errorCode = XML_ERROR_NO_MEMORY;

    40 +        return NULL;

    41 +      }

    42        newBuf = (char *)MALLOC(bufferSize);

    43        if (newBuf == 0) {

    44          errorCode = XML_ERROR_NO_MEMORY;