From 06ea3e152cd86fcf7dc3af9f37369a3b01af4e40 Mon Sep 17 00:00:00 2001
From: Pascal Cuoq <cuoq@trust-in-soft.com>
Date: Sun, 15 May 2016 20:05:50 +0200
Subject: [PATCH] Do not compare an out-of-bounds pointer. See
 https://lwn.net/Articles/278137/

---
 src/expat/lib/xmltok.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/expat/lib/xmltok.c b/src/expat/lib/xmltok.c
index e69966fe41..a7f071ea4b 100644
--- a/src/expat/lib/xmltok.c
+++ b/src/expat/lib/xmltok.c
@@ -359,7 +359,7 @@ utf8_toUtf16(const ENCODING *enc,
   while (from < fromLim && to < toLim) {
     switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
     case BT_LEAD2:
-      if (from + 2 > fromLim) {
+      if (fromLim - from < 2) {
         res = XML_CONVERT_INPUT_INCOMPLETE;
         break;
       }
@@ -367,7 +367,7 @@ utf8_toUtf16(const ENCODING *enc,
       from += 2;
       break;
     case BT_LEAD3:
-      if (from + 3 > fromLim) {
+      if (fromLim - from < 3) {
         res = XML_CONVERT_INPUT_INCOMPLETE;
         break;
       }
@@ -378,11 +378,11 @@ utf8_toUtf16(const ENCODING *enc,
     case BT_LEAD4:
       {
         unsigned long n;
-        if (to + 2 > toLim) {
+        if (toLim - to < 2) {
           res = XML_CONVERT_OUTPUT_EXHAUSTED;
           goto after;
         }
-        if (from + 4 > fromLim) {
+        if (fromLim - from < 4) {
           res = XML_CONVERT_INPUT_INCOMPLETE;
           goto after;
         }
@@ -620,7 +620,7 @@ E ## toUtf8(const ENCODING *enc, \
         *fromP = from; \
         return XML_CONVERT_OUTPUT_EXHAUSTED; \
       } \
-      if (from + 4 > fromLim) { \
+      if (fromLim - from < 4) { \
         *fromP = from; \
         return XML_CONVERT_INPUT_INCOMPLETE; \
       } \