Fix uninitialized read of size 1 in little2_updatePosition

Reported by Pascal Cuoq

Valgrind's view:
==4416== Conditional jump or move depends on uninitialised value(s)
==4416==    at 0x41F187: little2_updatePosition (xmltok_impl.c:1748)
==4416==    by 0x405F85: XML_GetCurrentColumnNumber (xmlparse.c:1931)
==4416==    by 0x402F7B: reportError (xmlfile.c:67)
==4416==    by 0x403041: processFile (xmlfile.c:84)
==4416==    by 0x403752: filemap (unixfilemap.c:61)
==4416==    by 0x403523: XML_ProcessFile (xmlfile.c:239)
==4416==    by 0x402EBC: main (xmlwf.c:847)

diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c
index 647843d64bcae477a6cd5433b2f55b159686ced9..2a877f3c2e8a5bc71d8795de0e0e276659014051 100644 (file)
--- a/expat/lib/xmltok_impl.c
+++ b/expat/lib/xmltok_impl.c
@@ -1744,7 +1744,7 @@ PREFIX(updatePosition)(const ENCODING *enc,
                        const char *end,
                        POSITION *pos)
 {
-  while (ptr < end) {
+  while (end - ptr >= MINBPC(enc)) {
     switch (BYTE_TYPE(enc, ptr)) {
 #define LEAD_CASE(n) \
     case BT_LEAD ## n: \