From 4be2cb5afcc018d996f34bbbce6374b7befad47f Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 28 May 2017 21:57:37 +0200
Subject: [PATCH] Detect overflow from len=INT_MAX call to XML_Parse

Relevant only when XML_CONTEXT_BYTES not defined
---
 expat/lib/xmlparse.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index 4b5e38ba..3dd031fd 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -1704,6 +1704,13 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
     const char *end;
     int nLeftOver;
     enum XML_Status result;
+    /* Detect overflow (a+b > MAX <==> b > MAX-a) */
+    if (len > (XML_Index)-1 - parseEndByteIndex) {
+       errorCode = XML_ERROR_NO_MEMORY;
+       eventPtr = eventEndPtr = NULL;
+       processor = errorProcessor;
+       return XML_STATUS_ERROR;
+    }
     parseEndByteIndex += len;
     positionPtr = s;
     ps_finalBuffer = (XML_Bool)isFinal;