From a4d77355e3f18d5538efbd786b026a2bf1a68545 Mon Sep 17 00:00:00 2001
From: Gustavo Grieco <gustavo.grieco@imag.fr>
Date: Mon, 2 May 2016 00:35:34 +0200
Subject: [PATCH] Fix two integer overflows

---
 src/expat/lib/xmlparse.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/expat/lib/xmlparse.c b/src/expat/lib/xmlparse.c
index 974db712f4..a09071f3f4 100644
--- a/src/expat/lib/xmlparse.c
+++ b/src/expat/lib/xmlparse.c
@@ -6265,8 +6265,13 @@ poolGrow(STRING_POOL *pool)
     }
   }
   if (pool->blocks && pool->start == pool->blocks->s) {
+    BLOCK *temp;
     int blockSize = (int)(pool->end - pool->start)*2;
-    BLOCK *temp = (BLOCK *)
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
+    temp = (BLOCK *)
       pool->mem->realloc_fcn(pool->blocks,
                              (offsetof(BLOCK, s)
                               + blockSize * sizeof(XML_Char)));
@@ -6281,6 +6286,10 @@ poolGrow(STRING_POOL *pool)
   else {
     BLOCK *tem;
     int blockSize = (int)(pool->end - pool->start);
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
     if (blockSize < INIT_BLOCK_SIZE)
       blockSize = INIT_BLOCK_SIZE;
     else