diff --git a/expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch b/expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
new file mode 100644
index 0000000..58d9941
--- /dev/null
+++ b/expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
@@ -0,0 +1,62 @@
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
++ /* Detect and prevent integer overflow */
++ if (keep > INT_MAX - neededSize) {
++ parser->m_errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize
+diff --git a/tests/runtests.c b/tests/runtests.c
+index e89e8220..579dad1a 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
+ }
+ END_TEST
+
++/* Test for signed integer overflow CVE-2022-23852 */
++#if defined(XML_CONTEXT_BYTES)
++START_TEST(test_get_buffer_3_overflow) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert(parser != NULL);
++
++ const char *const text = "\n";
++ const int expectedKeepValue = (int)strlen(text);
++
++ // After this call, variable "keep" in XML_GetBuffer will
++ // have value expectedKeepValue
++ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
++ == XML_STATUS_ERROR)
++ xml_failure(parser);
++
++ assert(expectedKeepValue > 0);
++ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
++ fail("enlarging buffer not failed");
++
++ XML_ParserFree(parser);
++}
++END_TEST
++#endif // defined(XML_CONTEXT_BYTES)
++
+ /* Test position information macros */
+ START_TEST(test_byte_info_at_end) {
+ const char *text = "";
+@@ -11731,6 +11755,9 @@ make_suite(void) {
+ tcase_add_test(tc_basic, test_empty_parse);
+ tcase_add_test(tc_basic, test_get_buffer_1);
+ tcase_add_test(tc_basic, test_get_buffer_2);
++#if defined(XML_CONTEXT_BYTES)
++ tcase_add_test(tc_basic, test_get_buffer_3_overflow);
++#endif
+ tcase_add_test(tc_basic, test_byte_info_at_end);
+ tcase_add_test(tc_basic, test_byte_info_at_error);
+ tcase_add_test(tc_basic, test_byte_info_at_cdata);
+
diff --git a/expat.spec b/expat.spec
index 023caf6..324375f 100644
--- a/expat.spec
+++ b/expat.spec
@@ -3,7 +3,7 @@
Summary: An XML parser library
Name: expat
Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 8%{?dist}
+Release: 9%{?dist}
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/
License: MIT
@@ -13,6 +13,7 @@ Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
+Patch4: expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -44,6 +45,7 @@ Install it if you need to link statically with expat.
%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
%patch2 -p1 -b .CVE-2021-46143
%patch3 -p1 -b .CVE-2021-45960
+%patch4 -p1 -b .CVE-2022-23852
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
./buildconf.sh
@@ -81,6 +83,10 @@ make check
%{_libdir}/lib*.a
%changelog
+* Thu Feb 10 2022 Tomas Korbar - 2.2.10-9
+- CVE-2022-23852 expat: integer overflow in function XML_GetBuffer
+- Resolves: CVE-2022-23852
+
* Thu Feb 10 2022 Tomas Korbar - 2.2.10-8
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
- Resolves: CVE-2021-45960