Pull in some expat CVE patches

CVE-2024-28757
CVE-2024-45490
CVE-2024-45491
CVE-2024-45492

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-14.1/android_external_expat/0001-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 1/2] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ee71adad..e78141e6 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5998,6 +5998,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts) {

Patches/LineageOS-14.1/android_external_expat/0002-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c2ea82b0..44639188 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6484,6 +6484,15 @@ nextScaffoldPart(XML_Parser parser)
+   int next;
+ 
+   if (!dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(groupSize * sizeof(int));
+     if (!dtd->scaffIndex)
+       return -1;

Patches/LineageOS-15.1/android_external_expat/0001-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 1/2] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ee71adad..e78141e6 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5998,6 +5998,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts) {

Patches/LineageOS-15.1/android_external_expat/0002-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e78141e6..5ad4bb00 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6488,6 +6488,15 @@ nextScaffoldPart(XML_Parser parser)
+   int next;
+ 
+   if (!dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(groupSize * sizeof(int));
+     if (!dtd->scaffIndex)
+       return -1;

Patches/LineageOS-16.0/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 074c841..f4e3d2a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1969,6 +1969,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-16.0/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 2/3] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index f4e3d2a..a6d92f4 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6639,6 +6639,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts) {

Patches/LineageOS-16.0/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH 3/3] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index a6d92f4..2f48cf1 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7221,6 +7221,15 @@ nextScaffoldPart(XML_Parser parser)
+   int next;
+ 
+   if (!dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (!dtd->scaffIndex)
+       return -1;

Patches/LineageOS-17.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 074c841..f4e3d2a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1969,6 +1969,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-17.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 2/3] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index f4e3d2a..a6d92f4 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6639,6 +6639,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+     if (!newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)
+           ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (!newE->defaultAtts) {

Patches/LineageOS-17.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH 3/3] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index a6d92f4..2f48cf1 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7221,6 +7221,15 @@ nextScaffoldPart(XML_Parser parser)
+   int next;
+ 
+   if (!dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (!dtd->scaffIndex)
+       return -1;

Patches/LineageOS-18.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH 1/4] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 381f3ef..97440d8 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1883,6 +1883,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-18.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 2/4] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 97440d8..9bd93b0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6377,6 +6377,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+     if (! newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)ms->malloc_fcn(
+           oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! newE->defaultAtts) {

Patches/LineageOS-18.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH 3/4] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9bd93b0..e6f334a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6929,6 +6929,15 @@ nextScaffoldPart(XML_Parser parser) {
+   int next;
+ 
+   if (! dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;

Patches/LineageOS-18.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH 4/4] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e6f334a..602fa33 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2847,9 +2847,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+         int len;
+         const char *rawName;
+         TAG *tag = parser->m_tagStack;
+-        parser->m_tagStack = tag->parent;
+-        tag->parent = parser->m_freeTagList;
+-        parser->m_freeTagList = tag;
+         rawName = s + enc->minBytesPerChar * 2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -2857,6 +2854,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        parser->m_tagStack = tag->parent;
++        tag->parent = parser->m_freeTagList;
++        parser->m_freeTagList = tag;
+         --parser->m_tagLevel;
+         if (parser->m_endElementHandler) {
+           const XML_Char *localPart;

Patches/LineageOS-19.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH 1/4] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 381f3ef..97440d8 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1883,6 +1883,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-19.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 2/4] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 97440d8..9bd93b0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6377,6 +6377,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+     if (! newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts = (DEFAULT_ATTRIBUTE *)ms->malloc_fcn(
+           oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! newE->defaultAtts) {

Patches/LineageOS-19.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH 3/4] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9bd93b0..e6f334a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6929,6 +6929,15 @@ nextScaffoldPart(XML_Parser parser) {
+   int next;
+ 
+   if (! dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;

Patches/LineageOS-19.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH 4/4] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e6f334a..602fa33 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2847,9 +2847,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+         int len;
+         const char *rawName;
+         TAG *tag = parser->m_tagStack;
+-        parser->m_tagStack = tag->parent;
+-        tag->parent = parser->m_freeTagList;
+-        parser->m_freeTagList = tag;
+         rawName = s + enc->minBytesPerChar * 2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -2857,6 +2854,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        parser->m_tagStack = tag->parent;
++        tag->parent = parser->m_freeTagList;
++        parser->m_freeTagList = tag;
+         --parser->m_tagLevel;
+         if (parser->m_endElementHandler) {
+           const XML_Char *localPart;

Patches/LineageOS-20.0/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH 1/5] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7e981919..dacbc7ad 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1982,6 +1982,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;

Patches/LineageOS-20.0/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH 2/5] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index dacbc7ad..afcc1de9 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6749,6 +6749,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+     if (! newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts
+           = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! newE->defaultAtts) {

Patches/LineageOS-20.0/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH 3/5] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index afcc1de9..18d9201c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7301,6 +7301,15 @@ nextScaffoldPart(XML_Parser parser) {
+   int next;
+ 
+   if (! dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;

Patches/LineageOS-20.0/android_external_expat/0004-lib-xmlparse.c-Detect-billion-laughs-attack-with-iso.patch

@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 4/5] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+ lib/xmlparse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 18d9201c..ab45db09 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7539,6 +7539,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+ 
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
++  //                                          1.........1.........12 => 22
++  const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1;
+   const XmlBigCount countBytesOutput
+       = rootParser->m_accounting.countBytesDirect
+         + rootParser->m_accounting.countBytesIndirect;
+@@ -7546,7 +7548,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) {
+       = rootParser->m_accounting.countBytesDirect
+             ? (countBytesOutput
+                / (float)(rootParser->m_accounting.countBytesDirect))
+-            : 1.0f;
++            : ((lenOfShortestInclude
++                + rootParser->m_accounting.countBytesIndirect)
++               / (float)lenOfShortestInclude);
+   assert(! rootParser->m_parentParser);
+   return amplificationFactor;
+ }

Patches/LineageOS-20.0/android_external_expat/0005-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH 5/5] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ab45db09..2b87a1c5 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3023,9 +3023,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+         int len;
+         const char *rawName;
+         TAG *tag = parser->m_tagStack;
+-        parser->m_tagStack = tag->parent;
+-        tag->parent = parser->m_freeTagList;
+-        parser->m_freeTagList = tag;
+         rawName = s + enc->minBytesPerChar * 2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -3033,6 +3030,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        parser->m_tagStack = tag->parent;
++        tag->parent = parser->m_freeTagList;
++        parser->m_freeTagList = tag;
+         --parser->m_tagLevel;
+         if (parser->m_endElementHandler) {
+           const XML_Char *localPart;

Scripts/LineageOS-14.1/Patch.sh

@@ -108,6 +108,8 @@ applyPatch "$DOS_PATCHES/android_external_expat/337987-backport.patch"; #n-asb-2
 applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
 applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
 fi;
 
 if enterAndClear "external/freetype"; then

Scripts/LineageOS-15.1/Patch.sh

@@ -112,6 +112,8 @@ applyPatch "$DOS_PATCHES/android_external_expat/337987.patch"; #Q_asb_2022-09 Pr
 applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
 applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
 fi;
 
 if enterAndClear "external/freetype"; then

Scripts/LineageOS-16.0/Patch.sh

@@ -134,6 +134,9 @@ applyPatch "$DOS_PATCHES/android_external_expat/338354.patch"; #P_asb_2022-09 Pr
 applyPatch "$DOS_PATCHES/android_external_expat/338355.patch"; #P_asb_2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/338356.patch"; #P_asb_2022-09 Prevent more integer overflows
 applyPatch "$DOS_PATCHES/android_external_expat/349328.patch"; #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes #649)
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
 fi;
 
 if enterAndClear "external/freetype"; then

Scripts/LineageOS-17.1/Patch.sh

@@ -120,6 +120,12 @@ if enterAndClear "external/conscrypt"; then
 applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
+if enterAndClear "external/expat"; then
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+fi;
+
 if enterAndClear "external/freetype"; then
 applyPatch "$DOS_PATCHES/android_external_freetype/365406.patch"; #Q_asb_2023-07 Cherry-pick two upstream changes
 applyPatch "$DOS_PATCHES/android_external_freetype/365446.patch"; #Q_asb_2023-08 Cherrypick following three changes

Scripts/LineageOS-18.1/Patch.sh

@@ -114,6 +114,13 @@ if enterAndClear "external/conscrypt"; then
 applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
+if enterAndClear "external/expat"; then
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
+fi;
+
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Cameras-1.patch"; #Workarounds for Pixel 3 SoC era camera driver bugs (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Cameras-2.patch"; #Expand workaround to all camera executables (DivestOS)

Scripts/LineageOS-19.1/Patch.sh

@@ -111,6 +111,13 @@ if enterAndClear "external/conscrypt"; then
 applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
+if enterAndClear "external/expat"; then
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
+fi;
+
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Cameras-1.patch"; #Workarounds for Pixel 3 SoC era camera driver bugs (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Cameras-2.patch"; #Expand workaround to all camera executables (DivestOS)

Scripts/LineageOS-20.0/Patch.sh

@@ -109,6 +109,14 @@ if enterAndClear "external/conscrypt"; then
 applyPatch "$DOS_PATCHES/android_external_conscrypt/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS)
 fi;
 
+if enterAndClear "external/expat"; then
+applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-xmlparse.c-Detect-billion-laughs-attack-with-iso.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0005-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
+fi;
+
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Cameras-1.patch"; #Workarounds for Pixel 3 SoC era camera driver bugs (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Cameras-2.patch"; #Expand workaround to all camera executables (DivestOS)