commit a1bc009dd46cce3b3735c8f0c1a65a33c46f0c3f
author Pascal Cuoq <cuoq@trust-in-soft.com> Sun May 15 20:05:50 2016 +0200
committer Sebastian Pipping <sebastian@pipping.org> Mon May 16 16:11:01 2016 +0200
tree b5e3817b8d9e2143555c78a65f96d216f7e72563
parent 5c9cc0eed83d2c0c202f2deeeca548d05baac56e

Do not compare an out-of-bounds pointer. See https://lwn.net/Articles/278137/

expat/lib/xmltok.c

diff --git a/expat/lib/xmltok.c b/expat/lib/xmltok.c
index 2762573..190f16c 100644
--- a/expat/lib/xmltok.c
+++ b/expat/lib/xmltok.c
@@ -366,7 +366,7 @@
   while (from < fromLim && to < toLim) {
     switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
     case BT_LEAD2:
-      if (from + 2 > fromLim) {
+      if (fromLim - from < 2) {
         res = XML_CONVERT_INPUT_INCOMPLETE;
         break;
       }
@@ -374,7 +374,7 @@
       from += 2;
       break;
     case BT_LEAD3:
-      if (from + 3 > fromLim) {
+      if (fromLim - from < 3) {
         res = XML_CONVERT_INPUT_INCOMPLETE;
         break;
       }
@@ -385,11 +385,11 @@
     case BT_LEAD4:
       {
         unsigned long n;
-        if (to + 2 > toLim) {
+        if (toLim - to < 2) {
           res = XML_CONVERT_OUTPUT_EXHAUSTED;
           goto after;
         }
-        if (from + 4 > fromLim) {
+        if (fromLim - from < 4) {
           res = XML_CONVERT_INPUT_INCOMPLETE;
           goto after;
         }
@@ -627,7 +627,7 @@
         *fromP = from; \
         return XML_CONVERT_OUTPUT_EXHAUSTED; \
       } \
-      if (from + 4 > fromLim) { \
+      if (fromLim - from < 4) { \
         *fromP = from; \
         return XML_CONVERT_INPUT_INCOMPLETE; \
       } \