From 7e5b71b748491b6e459e5c9a1d090820f94544d8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 13 Jun 2017 23:10:08 +0200
Subject: [PATCH] xmlparse.c: Fix XML_Size/XML_Index cast mixup

The "MAX = (type)-1" hack only works for unsigned types:
XML_Size is unsigned but XML_Index is not.
As the positive maximum of signed integers is about
half as big as that of their unsigned counterpart,
we divide by 2.

Example for 2 bit integers:
* signed: -2, -1, 0, 1 == 2^1-1
* unsigned: 0, 1, 2, 3 == 2^2-1

Fixing 4be2cb5afcc018d996f34bbbce6374b7befad47f
---
 expat/lib/xmlparse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index e96f4595..35455799 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -1811,7 +1811,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
     int nLeftOver;
     enum XML_Status result;
     /* Detect overflow (a+b > MAX <==> b > MAX-a) */
-    if (len > (XML_Index)-1 - parseEndByteIndex) {
+    if (len > ((XML_Size)-1) / 2 - parseEndByteIndex) {
        errorCode = XML_ERROR_NO_MEMORY;
        eventPtr = eventEndPtr = NULL;
        processor = errorProcessor;