first thanks for maintaining expat.
I found this bug in version 2.0.1 but the code is the same in the current developement version.
When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was
(gdb) p neededSize
$2 = 2128558980
The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop.
(gdb) p 1024 << 20
$10 = 1073741824
(gdb) p 1024 << 21
$11 = -2147483648
(gdb) p 1024 << 22
$12 = 0
And then goes into an endless loop.
Still searching why the buffer is so huge but i wanted to mention this bug anyway.