diff -r 355af3657df3 Modules/_elementtree.c
--- a/Modules/_elementtree.c	Wed Dec 04 09:43:21 2013 +0100
+++ b/Modules/_elementtree.c	Wed Dec 04 11:02:31 2013 +0100
@@ -924,8 +924,14 @@
         nchildren = 0;
     }
 
+    /* expat limits nchildren to int */
+    if (nchildren > INT_MAX) {
+        PyErr_SetString(PyExc_OverflowError, "too many children");
+        return NULL;
+    }
+
     /* Allocate 'extra'. */
-    if (element_resize(self, nchildren)) {
+    if (element_resize(self, (int)nchildren)) {
         return NULL;
     }
     assert(self->extra && self->extra->allocated >= nchildren);
@@ -936,8 +942,8 @@
         Py_INCREF(self->extra->children[i]);
     }
 
-    self->extra->length = nchildren;
-    self->extra->allocated = nchildren;
+    self->extra->length = (int)nchildren;
+    self->extra->allocated = (int)nchildren;
 
     /* Stash attrib. */
     if (attrib) {
@@ -1490,6 +1496,7 @@
             "child assignment index out of range");
         return -1;
     }
+    /* now index must be smaller than INT_MAX */
 
     old = self->extra->children[index];
 
@@ -1498,7 +1505,7 @@
         self->extra->children[index] = item;
     } else {
         self->extra->length--;
-        for (i = index; i < self->extra->length; i++)
+        for (i = (int)index; i < self->extra->length; i++)
             self->extra->children[i] = self->extra->children[i+1];
     }
 
@@ -1590,6 +1597,11 @@
                 &start, &stop, &step, &slicelen) < 0) {
             return -1;
         }
+        if (slicelen > INT_MAX) {
+            PyErr_SetString(PyExc_OverflowError,
+                            "slice does not fit in an int");
+            return -1;
+        }
 
         if (value == NULL) {
             /* Delete slice */
@@ -1651,7 +1663,7 @@
                     (self->extra->length - cur) * sizeof(PyObject *));
             }
 
-            self->extra->length -= slicelen;
+            self->extra->length -= (int)slicelen;
 
             /* Discard the recycle list with all the deleted sub-elements */
             Py_XDECREF(recycle);
@@ -1668,10 +1680,17 @@
                 return -1;
             }
             newlen = PySequence_Size(seq);
+            if (newlen > INT_MAX) {
+                Py_DECREF(seq);
+                PyErr_SetString(PyExc_OverflowError,
+                                "slice does not fit in an int");
+                return -1;
+            }
         }
 
         if (step !=  1 && newlen != slicelen)
         {
+            Py_XDECREF(seq);
             PyErr_Format(PyExc_ValueError,
                 "attempt to assign sequence of size %zd "
                 "to extended slice of size %zd",
@@ -1682,7 +1701,7 @@
 
         /* Resize before creating the recycle bin, to prevent refleaks. */
         if (newlen > slicelen) {
-            if (element_resize(self, newlen - slicelen) < 0) {
+            if (element_resize(self, (int)(newlen - slicelen)) < 0) {
                 if (seq) {
                     Py_DECREF(seq);
                 }
@@ -1724,7 +1743,7 @@
             self->extra->children[cur] = element;
         }
 
-        self->extra->length += newlen - slicelen;
+        self->extra->length += (int)(newlen - slicelen);
 
         if (seq) {
             Py_DECREF(seq);
@@ -3437,6 +3456,7 @@
     PyObject* buffer;
     PyObject* temp;
     PyObject* res;
+    Py_ssize_t bufsize;
 
     PyObject* fileobj;
     if (!PyArg_ParseTuple(args, "O:_parse", &fileobj))
@@ -3477,9 +3497,16 @@
             break;
         }
 
-        res = expat_parse(
-            self, PyBytes_AS_STRING(buffer), PyBytes_GET_SIZE(buffer), 0
-            );
+        bufsize = PyBytes_GET_SIZE(buffer);
+        if (bufsize > INT_MAX) {
+            Py_DECREF(buffer);
+            Py_DECREF(reader);
+            PyErr_SetString(PyExc_OverflowError,
+                            "read() has returned too much data.");
+            return NULL;
+        }
+
+        res = expat_parse(self, PyBytes_AS_STRING(buffer), (int)bufsize, 0);
 
         Py_DECREF(buffer);