Do not compare an out-of-bounds pointer. See https://lwn.net/Articles/278137/
diff --git a/expat/lib/xmltok.c b/expat/lib/xmltok.c
index 2762573..190f16c 100644
--- a/expat/lib/xmltok.c
+++ b/expat/lib/xmltok.c
@@ -366,7 +366,7 @@
while (from < fromLim && to < toLim) {
switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
case BT_LEAD2:
- if (from + 2 > fromLim) {
+ if (fromLim - from < 2) {
res = XML_CONVERT_INPUT_INCOMPLETE;
break;
}
@@ -374,7 +374,7 @@
from += 2;
break;
case BT_LEAD3:
- if (from + 3 > fromLim) {
+ if (fromLim - from < 3) {
res = XML_CONVERT_INPUT_INCOMPLETE;
break;
}
@@ -385,11 +385,11 @@
case BT_LEAD4:
{
unsigned long n;
- if (to + 2 > toLim) {
+ if (toLim - to < 2) {
res = XML_CONVERT_OUTPUT_EXHAUSTED;
goto after;
}
- if (from + 4 > fromLim) {
+ if (fromLim - from < 4) {
res = XML_CONVERT_INPUT_INCOMPLETE;
goto after;
}
@@ -627,7 +627,7 @@
*fromP = from; \
return XML_CONVERT_OUTPUT_EXHAUSTED; \
} \
- if (from + 4 > fromLim) { \
+ if (fromLim - from < 4) { \
*fromP = from; \
return XML_CONVERT_INPUT_INCOMPLETE; \
} \