From f88eff9cdbfdfcc034f0149ee4d5c803f1c8025a Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 1 May 2016 23:55:02 +0200
Subject: [PATCH] Do not grow pool to out-of-memory for incomplete input

---
 src/expat/lib/xmlparse.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/expat/lib/xmlparse.c b/src/expat/lib/xmlparse.c
index a09071f3f4..840f255d23 100644
--- a/src/expat/lib/xmlparse.c
+++ b/src/expat/lib/xmlparse.c
@@ -6174,15 +6174,12 @@ static XML_Char *
 poolAppend(STRING_POOL *pool, const ENCODING *enc,
            const char *ptr, const char *end)
 {
-  ICHAR* poolPtrPrev = NULL;
   if (!pool->ptr && !poolGrow(pool))
     return NULL;
   for (;;) {
-    XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-    /* complete or zero progress? */
-    if (ptr == end || pool->ptr == poolPtrPrev)
+    const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
+    if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
       break;
-    poolPtrPrev = pool->ptr;
     if (!poolGrow(pool))
       return NULL;
   }