From 9ff1d645bf56e49fb38dfef09d098882c38b2d80 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 1 May 2016 23:55:02 +0200
Subject: [PATCH] Do not grow pool to out-of-memory for incomplete input

---
 expat/lib/xmlparse.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index e810e3e4..c1fe494f 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -6196,15 +6196,12 @@ static XML_Char *
 poolAppend(STRING_POOL *pool, const ENCODING *enc,
            const char *ptr, const char *end)
 {
-  ICHAR* poolPtrPrev = NULL;
   if (!pool->ptr && !poolGrow(pool))
     return NULL;
   for (;;) {
-    XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-    /* complete or zero progress? */
-    if (ptr == end || pool->ptr == poolPtrPrev)
+    const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
+    if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
       break;
-    poolPtrPrev = pool->ptr;
     if (!poolGrow(pool))
       return NULL;
   }
-- 
2.40.0