Do not grow pool to out-of-memory for incomplete input

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index e810e3e4df2b0f6e8921b42ca8746bd47b2498d1..c1fe494fce0293d0d3ed09075375db73c763094c 100644 (file)
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -6196,15 +6196,12 @@ static XML_Char *
 poolAppend(STRING_POOL *pool, const ENCODING *enc,
            const char *ptr, const char *end)
 {
-  ICHAR* poolPtrPrev = NULL;
   if (!pool->ptr && !poolGrow(pool))
     return NULL;
   for (;;) {
-    XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-    /* complete or zero progress? */
-    if (ptr == end || pool->ptr == poolPtrPrev)
+    const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
+    if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
       break;
-    poolPtrPrev = pool->ptr;
     if (!poolGrow(pool))
       return NULL;
   }