From a12e78cb1b290e26a2b669eff3664d76bb73a408 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Fri, 13 May 2016 22:40:15 +0200
Subject: [PATCH] Fix uninitialized read of size 1 in little2_updatePosition

Reported by Pascal Cuoq

Valgrind's view:
==4416== Conditional jump or move depends on uninitialised value(s)
==4416==    at 0x41F187: little2_updatePosition (xmltok_impl.c:1748)
==4416==    by 0x405F85: XML_GetCurrentColumnNumber (xmlparse.c:1931)
==4416==    by 0x402F7B: reportError (xmlfile.c:67)
==4416==    by 0x403041: processFile (xmlfile.c:84)
==4416==    by 0x403752: filemap (unixfilemap.c:61)
==4416==    by 0x403523: XML_ProcessFile (xmlfile.c:239)
==4416==    by 0x402EBC: main (xmlwf.c:847)
---
 expat/lib/xmltok_impl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c
index 647843d6..2a877f3c 100644
--- a/expat/lib/xmltok_impl.c
+++ b/expat/lib/xmltok_impl.c
@@ -1744,7 +1744,7 @@ PREFIX(updatePosition)(const ENCODING *enc,
                        const char *end,
                        POSITION *pos)
 {
-  while (ptr < end) {
+  while (end - ptr >= MINBPC(enc)) {
     switch (BYTE_TYPE(enc, ptr)) {
 #define LEAD_CASE(n) \
     case BT_LEAD ## n: \
-- 
2.40.0