Looks good to me as the code uses the same pattern as everywhere else to detect integer overflow.

@rillig thanks for the review 👍

CVE request submitted to Mitre just now.

Got CVE-2022-23852

Looks good to me as well. Thank you for extending the test into its own test case and adjusting the signed overflow check!

@ferivoz thanks for the review 👍

Merging now...

Can anyone who submitted a CVE explain in more detail what is this package for and what might be affected by using it?

@iamkarlson are you asking what libexpat is being used for in general? Have you read the project description? For an (incomplete) list of hardware and other Open Source software using libexpat please see https://libexpat.github.io/doc/users/ .

Hi, the CVSS value of 9.8 seems quite high for an integer overflow. Is there any malicious advantage that I don't see at the moment?

@DominikBauer1 to my best knowledge it is unclear how much more than DoS can be gotten out of that overflow: The optimistic view is "probably just DoS" and the pessimistic one is "this could be code execution". That's why I wrote "Impact is denial of service or more" in the change log. I didn't suggest a score that high, but maybe the person who made that choice has information that I don't. Does that answer the question?

@hartwork Yes, that answers my question. Thanks for the quick reply.

@hartwork yes, that's what I was looking for. We're using docker images and I wanted to remove all unpatched dependencies from them.

@iamkarlson unless an app comes with their own bundled copy of libexpat (and most distros will patch bundles out for security reasons), updating libexpat in the distro will get the fix to all apps at once, because they all use that very instance, that's the idea. If you want to discuss this more, let's take it to e-mail, my contact is on the profile page, just so we don't spam everyone here with something that is not super specific to this very vulnerability fix. Okay? Thank you!