addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Impact
A remote attacker could send specially crafted XML which, when parsed by an application using the Expat library, would result in a buffer over-read and cause the application to stop responding.