--- tree.c.orig	2008-10-31 18:14:00.000000000 -0700
+++ tree.c	2008-10-31 18:14:35.000000000 -0700
@@ -14,7 +14,7 @@
 #include "libxml.h"
 
 #include <string.h> /* for memset() only ! */
-
+#include <limits.h>
 #ifdef HAVE_CTYPE_H
 #include <ctype.h>
 #endif
@@ -6996,7 +6996,13 @@
 	case XML_BUFFER_ALLOC_DOUBLEIT:
 	    /*take care of empty case*/
 	    newSize = (buf->size ? buf->size*2 : size + 10);
-	    while (size > newSize) newSize *= 2;
+	    while (size > newSize) {
+	        if (newSize > UINT_MAX / 2) {
+	            xmlTreeErrMemory("growing buffer");
+	            return 0;
+	        }
+	        newSize *= 2;
+	    }
 	    break;
 	case XML_BUFFER_ALLOC_EXACT:
 	    newSize = size+10;