In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
1.3.6p1-41.3.6p1-4+deb7u1build11.16.33-3.2ubuntu31.33.06-0ubuntu10.6.3-3build10.1.0+git20150808-10.1.0+git20150808-20.23.3-2ubuntu26.6.0+dfsg-16.6.0+dfsg-36.6.0+dfsg-3build13.3.14ga11-13.3.14ga11-1build13.20.1+git20120521-63.20.1+git20120521-6build14.8.1-1ubuntu34.8.1-1ubuntu44.8.2-3.1ubuntu14.9.0-3ubuntu24.9.0-4ubuntu14.9.0-4ubuntu1.13.4.0.47.5-0ubuntu3~gcc5.2Exploitability
AV:LAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H