1 files changed, 35 insertions, 0 deletions

diff --git a/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch b/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch
new file mode 100644
index 0000000000..b489401fea
--- /dev/null
+++ b/gnu/packages/patches/expat-CVE-2016-0718-fix-regression.patch
@@ -0,0 +1,35 @@
+Fix regression caused by fix for CVE-2016-0718 when building with -DXML_UNICODE.
+
+Discussion:
+
+https://sourceforge.net/p/expat/bugs/539/
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/expat/code_git/ci/af507cef2c93cb8d40062a0abe43a4f4e9158fb2/
+
+From af507cef2c93cb8d40062a0abe43a4f4e9158fb2 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 17 Jul 2016 20:22:29 +0200
+Subject: [PATCH 1/2] Fix regression bug #539 (needs -DXML_UNICODE)
+
+Thanks to Andy Wang and Karl Waclawek!
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index b308e67..0d5dd7b 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2468,7 +2468,7 @@ doContent(XML_Parser parser,
+                        &fromPtr, rawNameEnd,
+                        (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
+             convLen = (int)(toPtr - (XML_Char *)tag->buf);
+-            if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
++            if ((fromPtr >= rawNameEnd) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
+               tag->name.strLen = convLen;
+               break;
+             }
+-- 
+2.10.0