14.1 & 15.1: Prereq patches and backport of CVE-2024-45490 thanks to @syphyr

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-14.1/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@kynesim.co.uk>
+Date: Tue, 25 Apr 2017 16:21:27 +0100
+Subject: [PATCH] Validate parser parameter to XML_UseForeignDTD.
+
+---
+ lib/expat.h    | 5 ++++-
+ lib/xmlparse.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index ec62f140..145c283b 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -95,7 +95,9 @@ enum XML_Error {
+   /* Added in 2.0. */
+   XML_ERROR_RESERVED_PREFIX_XML,
+   XML_ERROR_RESERVED_PREFIX_XMLNS,
+-  XML_ERROR_RESERVED_NAMESPACE_URI
++  XML_ERROR_RESERVED_NAMESPACE_URI,
++  /* Added in 2.2 */
++  XML_ERROR_INVALID_ARGUMENT
+ };
+ 
+ enum XML_Content_Type {
+@@ -706,6 +708,7 @@ XML_UseParserAsHandlerArg(XML_Parser parser);
+      be called, despite an external subset being parsed.
+    Note: If XML_DTD is not defined when Expat is compiled, returns
+      XML_ERROR_FEATURE_REQUIRES_XML_DTD.
++   Note: If parser == NULL, returns XML_ERROR_INVALID_ARGUMENT.
+ */
+ XMLPARSEAPI(enum XML_Error)
+ XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD);
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 57c93e05..9df42782 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1243,6 +1243,8 @@ XML_UseParserAsHandlerArg(XML_Parser parser)
+ enum XML_Error XMLCALL
+ XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD)
+ {
++  if (parser == NULL)
++    return XML_ERROR_INVALID_ARGUMENT;
+ #ifdef XML_DTD
+   /* block after XML_Parse()/XML_ParseBuffer() has been called */
+   if (ps_parsing == XML_PARSING || ps_parsing == XML_SUSPENDED)

Patches/LineageOS-14.1/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 31 May 2017 23:43:57 +0200
+Subject: [PATCH] expat.h: Fix version hint on XML_ERROR_INVALID_ARGUMENT
+
+Introduced at commit 768613f801020dee30a0583ec6cd77ec401d747f.
+---
+ lib/expat.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 145c283b..59c36e54 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -96,7 +96,7 @@ enum XML_Error {
+   XML_ERROR_RESERVED_PREFIX_XML,
+   XML_ERROR_RESERVED_PREFIX_XMLNS,
+   XML_ERROR_RESERVED_NAMESPACE_URI,
+-  /* Added in 2.2 */
++  /* Added in 2.2.1. */
+   XML_ERROR_INVALID_ARGUMENT
+ };
+ 

Patches/LineageOS-14.1/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch

@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@kynesim.co.uk>
+Date: Tue, 25 Apr 2017 18:13:36 +0100
+Subject: [PATCH] Validate parser parameter for XML_ParseBuffer
+
+---
+ lib/xmlparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9df42782..d3b43171 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1670,6 +1670,8 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+   const char *start;
+   enum XML_Status result = XML_STATUS_OK;
+ 
++  if (parser == NULL)
++    return XML_STATUS_ERROR;
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-14.1/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+
+CVE-2024-45490
+
+Reported by TaiYou
+
+Change-Id: Ic070b629e085c2aa5fd2711e1738acde42fee444
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d3b43171..d9f33395 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1672,6 +1672,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-14.1/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -3,16 +3,20 @@ From: Sebastian Pipping <sebastian@pipping.org>
 Date: Mon, 19 Aug 2024 22:34:13 +0200
 Subject: [PATCH] lib: Detect integer overflow in dtdCopy
 
+CVE-2024-45491
+
 Reported by TaiYou
+
+Change-Id: Ie0e4d640a83b06d9829c742e73af3aa40116e10b
 ---
  lib/xmlparse.c | 10 ++++++++++
  1 file changed, 10 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index ee71adad..e78141e6 100644
+index d9f33395..99bf2411 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -5998,6 +5998,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+@@ -6004,6 +6004,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
      if (!newE)
        return 0;
      if (oldE->nDefaultAtts) {

Patches/LineageOS-14.1/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -3,16 +3,20 @@ From: Sebastian Pipping <sebastian@pipping.org>
 Date: Mon, 19 Aug 2024 22:37:16 +0200
 Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
 
+CVE-2024-45492
+
 Reported by TaiYou
+
+Change-Id: Ic152fd5352442dc60db0358226118a0ad3021bc5
 ---
  lib/xmlparse.c | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index c2ea82b0..44639188 100644
+index 99bf2411..977079f9 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -6484,6 +6484,15 @@ nextScaffoldPart(XML_Parser parser)
+@@ -6494,6 +6494,15 @@ nextScaffoldPart(XML_Parser parser)
    int next;
  
    if (!dtd->scaffIndex) {

Patches/LineageOS-14.1/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+CVE-2024-28757
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+
+Change-Id: I2572abf87973e8de97898726812a14354aa01c17
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 977079f9..cc30f71f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2567,9 +2567,6 @@ doContent(XML_Parser parser,
+         int len;
+         const char *rawName;
+         TAG *tag = tagStack;
+-        tagStack = tag->parent;
+-        tag->parent = freeTagList;
+-        freeTagList = tag;
+         rawName = s + enc->minBytesPerChar*2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -2577,6 +2574,9 @@ doContent(XML_Parser parser,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        tagStack = tag->parent;
++        tag->parent = freeTagList;
++        freeTagList = tag;
+         --tagLevel;
+         if (endElementHandler) {
+           const XML_Char *localPart;

Patches/LineageOS-15.1/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@kynesim.co.uk>
+Date: Tue, 25 Apr 2017 16:21:27 +0100
+Subject: [PATCH] Validate parser parameter to XML_UseForeignDTD.
+
+---
+ lib/expat.h    | 5 ++++-
+ lib/xmlparse.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index ec62f140..145c283b 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -95,7 +95,9 @@ enum XML_Error {
+   /* Added in 2.0. */
+   XML_ERROR_RESERVED_PREFIX_XML,
+   XML_ERROR_RESERVED_PREFIX_XMLNS,
+-  XML_ERROR_RESERVED_NAMESPACE_URI
++  XML_ERROR_RESERVED_NAMESPACE_URI,
++  /* Added in 2.2 */
++  XML_ERROR_INVALID_ARGUMENT
+ };
+ 
+ enum XML_Content_Type {
+@@ -706,6 +708,7 @@ XML_UseParserAsHandlerArg(XML_Parser parser);
+      be called, despite an external subset being parsed.
+    Note: If XML_DTD is not defined when Expat is compiled, returns
+      XML_ERROR_FEATURE_REQUIRES_XML_DTD.
++   Note: If parser == NULL, returns XML_ERROR_INVALID_ARGUMENT.
+ */
+ XMLPARSEAPI(enum XML_Error)
+ XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD);
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 57c93e05..9df42782 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1243,6 +1243,8 @@ XML_UseParserAsHandlerArg(XML_Parser parser)
+ enum XML_Error XMLCALL
+ XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD)
+ {
++  if (parser == NULL)
++    return XML_ERROR_INVALID_ARGUMENT;
+ #ifdef XML_DTD
+   /* block after XML_Parse()/XML_ParseBuffer() has been called */
+   if (ps_parsing == XML_PARSING || ps_parsing == XML_SUSPENDED)

Patches/LineageOS-15.1/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 31 May 2017 23:43:57 +0200
+Subject: [PATCH] expat.h: Fix version hint on XML_ERROR_INVALID_ARGUMENT
+
+Introduced at commit 768613f801020dee30a0583ec6cd77ec401d747f.
+---
+ lib/expat.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 145c283b..59c36e54 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -96,7 +96,7 @@ enum XML_Error {
+   XML_ERROR_RESERVED_PREFIX_XML,
+   XML_ERROR_RESERVED_PREFIX_XMLNS,
+   XML_ERROR_RESERVED_NAMESPACE_URI,
+-  /* Added in 2.2 */
++  /* Added in 2.2.1. */
+   XML_ERROR_INVALID_ARGUMENT
+ };
+ 

Patches/LineageOS-15.1/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch

@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@kynesim.co.uk>
+Date: Tue, 25 Apr 2017 18:13:36 +0100
+Subject: [PATCH] Validate parser parameter for XML_ParseBuffer
+
+---
+ lib/xmlparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9df42782..d3b43171 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1670,6 +1670,8 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+   const char *start;
+   enum XML_Status result = XML_STATUS_OK;
+ 
++  if (parser == NULL)
++    return XML_STATUS_ERROR;
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-15.1/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
+
+CVE-2024-45490
+
+Reported by TaiYou
+
+Change-Id: Ic070b629e085c2aa5fd2711e1738acde42fee444
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d3b43171..d9f33395 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1672,6 +1672,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-15.1/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -3,16 +3,20 @@ From: Sebastian Pipping <sebastian@pipping.org>
 Date: Mon, 19 Aug 2024 22:34:13 +0200
 Subject: [PATCH] lib: Detect integer overflow in dtdCopy
 
+CVE-2024-45491
+
 Reported by TaiYou
+
+Change-Id: Ie0e4d640a83b06d9829c742e73af3aa40116e10b
 ---
  lib/xmlparse.c | 10 ++++++++++
  1 file changed, 10 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index ee71adad..e78141e6 100644
+index d9f33395..99bf2411 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -5998,6 +5998,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+@@ -6004,6 +6004,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
      if (!newE)
        return 0;
      if (oldE->nDefaultAtts) {

Patches/LineageOS-15.1/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -3,16 +3,20 @@ From: Sebastian Pipping <sebastian@pipping.org>
 Date: Mon, 19 Aug 2024 22:37:16 +0200
 Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
 
+CVE-2024-45492
+
 Reported by TaiYou
+
+Change-Id: Ic152fd5352442dc60db0358226118a0ad3021bc5
 ---
  lib/xmlparse.c | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e78141e6..5ad4bb00 100644
+index 99bf2411..977079f9 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -6488,6 +6488,15 @@ nextScaffoldPart(XML_Parser parser)
+@@ -6494,6 +6494,15 @@ nextScaffoldPart(XML_Parser parser)
    int next;
  
    if (!dtd->scaffIndex) {

Patches/LineageOS-15.1/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+CVE-2024-28757
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+
+Change-Id: I2572abf87973e8de97898726812a14354aa01c17
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 977079f9..cc30f71f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2567,9 +2567,6 @@ doContent(XML_Parser parser,
+         int len;
+         const char *rawName;
+         TAG *tag = tagStack;
+-        tagStack = tag->parent;
+-        tag->parent = freeTagList;
+-        freeTagList = tag;
+         rawName = s + enc->minBytesPerChar*2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -2577,6 +2574,9 @@ doContent(XML_Parser parser,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        tagStack = tag->parent;
++        tag->parent = freeTagList;
++        freeTagList = tag;
+         --tagLevel;
+         if (endElementHandler) {
+           const XML_Char *localPart;

Scripts/LineageOS-14.1/Patch.sh

@@ -108,8 +108,13 @@ applyPatch "$DOS_PATCHES/android_external_expat/337987-backport.patch"; #n-asb-2
 applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
 applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
-applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
-applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
 fi;
 
 if enterAndClear "external/freetype"; then

Scripts/LineageOS-15.1/Patch.sh

@@ -112,8 +112,13 @@ applyPatch "$DOS_PATCHES/android_external_expat/337987.patch"; #Q_asb_2022-09 Pr
 applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
 applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
-applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
-applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
 fi;
 
 if enterAndClear "external/freetype"; then