In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVE-2022-25314 (Candidate) is related to these bugs: