In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
The MITRE CVE dictionary describes this issue as: