In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
The MITRE CVE dictionary describes this issue as: