https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
Fixed in 2.6.3.
Takes only 1 of the 3 patches from
https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
tests because that part doesn't apply cleanly.

From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:26:07 +0200
Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer

Reported by TaiYou

---
 expat/lib/xmlparse.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 91682c188..ba1038119 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
 
   if (parser == NULL)
     return XML_STATUS_ERROR;
+
+  if (len < 0) {
+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+    return XML_STATUS_ERROR;
+  }
+
   switch (parser->m_parsingStatus.parsing) {
   case XML_SUSPENDED:
     parser->m_errorCode = XML_ERROR_SUSPENDED;