lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. https://nvd.nist.gov/vuln/detail/CVE-2022-22825