Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
The MITRE CVE dictionary describes this issue as: