nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
The MITRE CVE dictionary describes this issue as: