new file mode 100644
@@ -0,0 +1,52 @@
+From 10938bc2cef7573087566b5b1c948061baa68b98 Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Mon, 1 Jun 2026 11:53:19 +0530
+Subject: [PATCH] xmlwf: protect output path join from integer overflow
+
+CVE: CVE-2026-56409
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e]
+
+Backport Changes:
+- Adapt the allocation hunk to the explicit cast used by Expat 2.7.5.
+
+(cherry picked from commit 61f7cdda22546c4bee38dd2d3fa3d6e4aa64d33e)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlwf.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c
+index 06416454..6a0a707a 100644
+--- a/expat/xmlwf/xmlwf.c
++++ b/expat/xmlwf/xmlwf.c
+@@ -1236,8 +1236,26 @@ tmain(int argc, XML_Char **argv) {
+ }
+ #endif
+ }
+- outName = (XML_Char *)malloc((tcslen(outputDir) + tcslen(file) + 2)
+- * sizeof(XML_Char));
++ const size_t outputDirLen = tcslen(outputDir);
++ const size_t fileLen = tcslen(file);
++
++ /* Detect and prevent integer overflow in the addition (without
++ risking underflow) and the multiplication, mirroring the guards
++ in xcsdup() and resolveSystemId() */
++ if (outputDirLen > SIZE_MAX - fileLen
++ || outputDirLen > SIZE_MAX - fileLen - 2) {
++ tperror(T("Could not allocate memory"));
++ exit(XMLWF_EXIT_INTERNAL_ERROR);
++ }
++
++ const size_t charsRequired = outputDirLen + fileLen + 2;
++
++ if (charsRequired > SIZE_MAX / sizeof(XML_Char)) {
++ tperror(T("Could not allocate memory"));
++ exit(XMLWF_EXIT_INTERNAL_ERROR);
++ }
++
++ outName = malloc(charsRequired * sizeof(XML_Char));
+ if (! outName) {
+ tperror(T("Could not allocate memory"));
+ exit(XMLWF_EXIT_INTERNAL_ERROR);
+--
+2.43.7
@@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-56410_p2.patch;striplevel=2 \
file://CVE-2026-56406-dependent.patch;striplevel=2 \
file://CVE-2026-56406.patch;striplevel=2 \
+ file://CVE-2026-56409.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"