new file mode 100644
@@ -0,0 +1,83 @@
+From 4a264be1794368a1acc08476058b6cf087686d11 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 20 May 2026 12:12:10 +0200
+Subject: [PATCH] lib: Protect function `storeAtts` from signed integer
+ overflow
+
+CVE: CVE-2026-56403
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648]
+
+Backport Changes:
+- Retain the Expat 2.7.5 binding URI reallocation and active tag pointer
+ updates while using the overflow-safe localPartLen calculation.
+
+(cherry picked from commit 12dc6d8d3d65f79471a94d8565f6bf1cf245f648)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/lib/xmlparse.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 0248b665..e441ff7f 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -4235,26 +4235,32 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ return XML_ERROR_NONE;
+ prefixLen = 0;
+ if (parser->m_ns_triplets && binding->prefix->name) {
+- while (binding->prefix->name[prefixLen++])
+- ; /* prefixLen includes null terminator */
++ size_t candidateLen = 0;
++ while (binding->prefix->name[candidateLen++])
++ ; /* candidateLen includes null terminator */
++ /* Detect and prevent integer overflow */
++ if (candidateLen > INT_MAX)
++ return XML_ERROR_NO_MEMORY;
++ prefixLen = (int)candidateLen;
+ }
+ tagNamePtr->localPart = localPart;
+ tagNamePtr->uriLen = binding->uriLen;
+ tagNamePtr->prefix = binding->prefix->name;
+ tagNamePtr->prefixLen = prefixLen;
+- for (i = 0; localPart[i++];)
+- ; /* i includes null terminator */
++
++ size_t localPartLen = 0;
++ for (; localPart[localPartLen++];)
++ ; /* localPartLen includes null terminator */
+
+ /* Detect and prevent integer overflow */
+- if (binding->uriLen > INT_MAX - prefixLen
+- || i > INT_MAX - (binding->uriLen + prefixLen)) {
++ if (localPartLen > INT_MAX || binding->uriLen > INT_MAX - prefixLen
++ || localPartLen > (size_t)INT_MAX - (binding->uriLen + prefixLen)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+- n = i + binding->uriLen + prefixLen;
++ n = (int)localPartLen + binding->uriLen + prefixLen;
+ if (n > binding->uriAlloc) {
+ TAG *p;
+-
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+@@ -4282,10 +4288,14 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ }
+ /* if m_namespaceSeparator != '\0' then uri includes it already */
+ uri = binding->uri + binding->uriLen;
+- memcpy(uri, localPart, i * sizeof(XML_Char));
++ /* Detect and prevent integer overflow */
++ if (localPartLen > SIZE_MAX / sizeof(XML_Char)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++ memcpy(uri, localPart, localPartLen * sizeof(XML_Char));
+ /* we always have a namespace separator between localPart and prefix */
+ if (prefixLen) {
+- uri += i - 1;
++ uri += localPartLen - 1;
+ *uri = parser->m_namespaceSeparator; /* replace null terminator */
+ memcpy(uri + 1, binding->prefix->name, prefixLen * sizeof(XML_Char));
+ }
+--
+2.43.7
new file mode 100644
@@ -0,0 +1,52 @@
+From e8100827a4f68c70d8cadf446bb82bec7cbebbac Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Fri, 22 May 2026 00:43:52 +0200
+Subject: [PATCH] xmlwf: Protect function `xcsdup` from signed integer overflow
+
+CVE: CVE-2026-56403
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15]
+
+Backport Changes:
+- Include stdint.h explicitly because Expat 2.7.5 does not expose SIZE_MAX
+ to xmlwf.c.
+
+(cherry picked from commit 147c8f36d6277d5c6011c098370a8362aed47b15)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlwf.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c
+index 2d0c4f8e..934473ce 100644
+--- a/expat/xmlwf/xmlwf.c
++++ b/expat/xmlwf/xmlwf.c
+@@ -46,6 +46,7 @@
+
+ #include <assert.h>
+ #include <stdio.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
+@@ -305,13 +306,18 @@ processingInstruction(void *userData, const XML_Char *target,
+ static XML_Char *
+ xcsdup(const XML_Char *s) {
+ XML_Char *result;
+- int count = 0;
++ size_t count = 0;
+ size_t numBytes;
+
+ /* Get the length of the string, including terminator */
+ while (s[count++] != 0) {
+ /* Do nothing */
+ }
++
++ // Detect and prevent integer overflow
++ if (count > SIZE_MAX / sizeof(XML_Char))
++ return NULL;
++
+ numBytes = count * sizeof(XML_Char);
+ result = malloc(numBytes);
+ if (result == NULL)
+--
+2.43.7
@@ -10,6 +10,8 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2026-56403_p1.patch;striplevel=2 \
+ file://CVE-2026-56403_p2.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"