From 5e7354d86b049f193feebf8ac7f853bc5905cb39 Mon Sep 17 00:00:00 2001
From: Eric Rahm <erahm@mozilla.com>
Date: Sat, 21 May 2016 10:05:05 -0700
Subject: [PATCH] Bug 1236923 - Check int for overflow. r=peterv

---
 parser/expat/lib/xmlparse.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
index 69145ac379b5..0d78733b0765 100644
--- a/parser/expat/lib/xmlparse.c
+++ b/parser/expat/lib/xmlparse.c
@@ -6286,6 +6286,9 @@ poolGrow(STRING_POOL *pool)
   }
   if (pool->blocks && pool->start == pool->blocks->s) {
     int blockSize = (int)(pool->end - pool->start)*2;
+    if (blockSize < 0)
+      return XML_FALSE;
+
     pool->blocks = (BLOCK *)
       pool->mem->realloc_fcn(pool->blocks,
                              (offsetof(BLOCK, s)
@@ -6300,10 +6303,17 @@ poolGrow(STRING_POOL *pool)
   else {
     BLOCK *tem;
     int blockSize = (int)(pool->end - pool->start);
+    if (blockSize < 0)
+      return XML_FALSE;
+
     if (blockSize < INIT_BLOCK_SIZE)
       blockSize = INIT_BLOCK_SIZE;
     else
       blockSize *= 2;
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
     tem = (BLOCK *)pool->mem->malloc_fcn(offsetof(BLOCK, s)
                                         + blockSize * sizeof(XML_Char));
     if (!tem)