new file mode 100644
@@ -0,0 +1,81 @@
+From b689559597116ee75a633453e2f7177c8541b04e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 20 May 2026 12:12:10 +0200
+Subject: [PATCH 01/17] lib: Protect function `storeAtts` from signed integer
+ overflow
+
+CVE: CVE-2026-56403
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/12dc6d8d3d65f79471a94d8565f6bf1cf245f648]
+
+Backport Changes:
+- Adapt storeAtts to the Scarthgap 2.6.4 loop and URI allocation
+ logic while preserving the upstream overflow checks.
+
+(cherry picked from commit 12dc6d8d3d65f79471a94d8565f6bf1cf245f648)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/lib/xmlparse.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 9bc67f38..df92a3ca 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -4226,26 +4226,32 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ return XML_ERROR_NONE;
+ prefixLen = 0;
+ if (parser->m_ns_triplets && binding->prefix->name) {
+- for (; binding->prefix->name[prefixLen++];)
+- ; /* prefixLen includes null terminator */
++ size_t candidateLen = 0;
++ for (; binding->prefix->name[candidateLen++];)
++ ; /* candidateLen includes null terminator */
++ /* Detect and prevent integer overflow */
++ if (candidateLen > INT_MAX)
++ return XML_ERROR_NO_MEMORY;
++ prefixLen = (int)candidateLen;
+ }
+ tagNamePtr->localPart = localPart;
+ tagNamePtr->uriLen = binding->uriLen;
+ tagNamePtr->prefix = binding->prefix->name;
+ tagNamePtr->prefixLen = prefixLen;
+- for (i = 0; localPart[i++];)
+- ; /* i includes null terminator */
++
++ size_t localPartLen = 0;
++ for (; localPart[localPartLen++];)
++ ; /* localPartLen includes null terminator */
+
+ /* Detect and prevent integer overflow */
+- if (binding->uriLen > INT_MAX - prefixLen
+- || i > INT_MAX - (binding->uriLen + prefixLen)) {
++ if (localPartLen > INT_MAX || binding->uriLen > INT_MAX - prefixLen
++ || localPartLen > (size_t)INT_MAX - (binding->uriLen + prefixLen)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+- n = i + binding->uriLen + prefixLen;
++ n = (int)localPartLen + binding->uriLen + prefixLen;
+ if (n > binding->uriAlloc) {
+ TAG *p;
+-
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+@@ -4273,10 +4279,14 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ }
+ /* if m_namespaceSeparator != '\0' then uri includes it already */
+ uri = binding->uri + binding->uriLen;
+- memcpy(uri, localPart, i * sizeof(XML_Char));
++ /* Detect and prevent integer overflow */
++ if (localPartLen > SIZE_MAX / sizeof(XML_Char)) {
++ return XML_ERROR_NO_MEMORY;
++ }
++ memcpy(uri, localPart, localPartLen * sizeof(XML_Char));
+ /* we always have a namespace separator between localPart and prefix */
+ if (prefixLen) {
+- uri += i - 1;
++ uri += localPartLen - 1;
+ *uri = parser->m_namespaceSeparator; /* replace null terminator */
+ memcpy(uri + 1, binding->prefix->name, prefixLen * sizeof(XML_Char));
+ }
new file mode 100644
@@ -0,0 +1,52 @@
+From 2855ce68a1ce9732267c06734427930364ab66c1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Fri, 22 May 2026 00:43:52 +0200
+Subject: [PATCH 02/17] xmlwf: Protect function `xcsdup` from signed integer
+ overflow
+
+CVE: CVE-2026-56403
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/147c8f36d6277d5c6011c098370a8362aed47b15]
+
+Backport Changes:
+- Add stdint.h and convert count and numBytes to size_t because
+ Scarthgap 2.6.4 lacks these upstream prerequisites.
+
+(cherry picked from commit 147c8f36d6277d5c6011c098370a8362aed47b15)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlwf.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c
+index fd4fc3f8..7bbdb303 100644
+--- a/expat/xmlwf/xmlwf.c
++++ b/expat/xmlwf/xmlwf.c
+@@ -45,6 +45,7 @@
+
+ #include <assert.h>
+ #include <stdio.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
+@@ -304,13 +305,18 @@ processingInstruction(void *userData, const XML_Char *target,
+ static XML_Char *
+ xcsdup(const XML_Char *s) {
+ XML_Char *result;
+- int count = 0;
+- int numBytes;
++ size_t count = 0;
++ size_t numBytes;
+
+ /* Get the length of the string, including terminator */
+ while (s[count++] != 0) {
+ /* Do nothing */
+ }
++
++ // Detect and prevent integer overflow
++ if (count > SIZE_MAX / sizeof(XML_Char))
++ return NULL;
++
+ numBytes = count * sizeof(XML_Char);
+ result = malloc(numBytes);
+ if (result == NULL)
@@ -51,6 +51,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-32777-02.patch \
file://CVE-2026-32778-01.patch \
file://CVE-2026-32778-02.patch \
+ file://CVE-2026-56403_p1.patch;striplevel=2 \
+ file://CVE-2026-56403_p2.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"