https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
Fixed in 2.6.3.
Takes only 1 of the 3 patches from
https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
tests because that part doesn't apply cleanly.

From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:26:07 +0200
Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer

Reported by TaiYou

---
 expat/lib/xmlparse.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 91682c188..ba1038119 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
 
   if (parser == NULL)
     return XML_STATUS_ERROR;
+
+  if (len < 0) {
+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+    return XML_STATUS_ERROR;
+  }
+
   switch (parser->m_parsingStatus.parsing) {
   case XML_SUSPENDED:
     parser->m_errorCode = XML_ERROR_SUSPENDED;
mmary</a><a href='/guix/refs/?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>refs</a><a class='active' href='/guix/log/tests/egg.scm'>log</a><a href='/guix/tree/tests/egg.scm?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>tree</a><a href='/guix/commit/tests/egg.scm?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>commit</a><a href='/guix/diff/tests/egg.scm?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/tests/egg.scm'>
<input type='hidden' name='id' value='0d5995e4fda2893db6359b9a2ec79d72885dc4c4'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>root</a>/<a href='/guix/log/tests?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>tests</a>/<a href='/guix/log/tests/egg.scm?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4'>egg.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/tests/egg.scm?id=0d5995e4fda2893db6359b9a2ec79d72885dc4c4&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-04-15 22:36:42 +0200'>2024-04-15</span></td><td><a href='/guix/commit/tests/egg.scm?id=54be7795b5cc2f6cad05f8649121372c9d5af806'>utils: Don’t re-export ‘call-with-temporary-output-file’.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/utils.scm: Remove re-export of ‘call-with-temporary-output-file’.
Autoload a number of modules.
* guix/download.scm, guix/import/hackage.scm,
guix/import/hexpm.scm, guix/import/opam.scm,
guix/import/pypi.scm, tests/cpio.scm, tests/egg.scm,
tests/opam.scm, tests/publish.scm, tests/store-database.scm,
tests/utils.scm: Adjust imports accordingly.

Change-Id: I3f5e94631397996a30be2ea4ff8b50a3371e8ee7
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-11-17 23:43:14 +0100'>2021-11-17</span></td><td><a href='/guix/commit/tests/egg.scm?id=3a317f7476f8c6012e166ff9f340f861938721c9'>Merge branch 'master' into core-updates-frozen</a></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-11-14 00:10:58 +0100'>2021-11-14</span></td><td><a href='/guix/commit/tests/egg.scm?id=114005bea61efcd5f7d768e2d6503e873f654c16'>tests: Adjust tests/egg.scm to latest API changes.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is a followup to b999c80c2e71bd4b3f26a18a321b7e7e7b580103.

* tests/egg.scm (eval-test-with-egg-file): Pass 'version' argument to
'egg-&gt;guix-package'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-07-20 23:43:29 +0200'>2021-07-20</span></td><td><a href='/guix/commit/tests/egg.scm?id=5b6285518be6e4f588f688dadf70eacf4614b797'>import: egg: Emit new-style package inputs.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/import/egg.scm (egg-&gt;guix-package): Generate dependency list from
a list of symbols.
[egg-parse-dependency]: Return a list of symbols.
[maybe-inputs]: Wrap INPUTS in 'list' instead of 'quasiquote'.
* tests/egg.scm (match-chicken-foo): Adjust accordingly.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Sarah Morgensen</td></tr>
<tr><td><span title='2021-06-03 13:05:18 +0200'>2021-06-03</span></td><td><a href='/guix/commit/tests/egg.scm?id=bdc298ecee15283451d3aa20a849dd7bb22c8538'>import: Add CHICKEN egg importer.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/import/egg.scm: New file.
* guix/scripts/import/egg.scm: New file.
* tests/egg.scm: New file.
* Makefile.am (MODULES, SCM_TESTS): Register them.
* po/guix/POTFILES.in: Likewise.
* guix/scripts/import.scm (importers): Add egg importer.
* doc/guix.texi (Invoking guix import, Invoking guix refresh): Document it.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Xinglu Chen</td></tr>

Age	Commit message (Expand)	Author
2024-04-15	utils: Don’t re-export ‘call-with-temporary-output-file’....* guix/utils.scm: Remove re-export of ‘call-with-temporary-output-file’. Autoload a number of modules. * guix/download.scm, guix/import/hackage.scm, guix/import/hexpm.scm, guix/import/opam.scm, guix/import/pypi.scm, tests/cpio.scm, tests/egg.scm, tests/opam.scm, tests/publish.scm, tests/store-database.scm, tests/utils.scm: Adjust imports accordingly. Change-Id: I3f5e94631397996a30be2ea4ff8b50a3371e8ee7	Ludovic Courtès
2021-11-17	Merge branch 'master' into core-updates-frozen	Ludovic Courtès
2021-11-14	tests: Adjust tests/egg.scm to latest API changes....This is a followup to b999c80c2e71bd4b3f26a18a321b7e7e7b580103. * tests/egg.scm (eval-test-with-egg-file): Pass 'version' argument to 'egg->guix-package'.	Ludovic Courtès
2021-07-20	import: egg: Emit new-style package inputs....* guix/import/egg.scm (egg->guix-package): Generate dependency list from a list of symbols. [egg-parse-dependency]: Return a list of symbols. [maybe-inputs]: Wrap INPUTS in 'list' instead of 'quasiquote'. * tests/egg.scm (match-chicken-foo): Adjust accordingly. Signed-off-by: Ludovic Courtès <ludo@gnu.org>	Sarah Morgensen
2021-06-03	import: Add CHICKEN egg importer....* guix/import/egg.scm: New file. * guix/scripts/import/egg.scm: New file. * tests/egg.scm: New file. * Makefile.am (MODULES, SCM_TESTS): Register them. * po/guix/POTFILES.in: Likewise. * guix/scripts/import.scm (importers): Add egg importer. * doc/guix.texi (Invoking guix import, Invoking guix refresh): Document it. Signed-off-by: Ludovic Courtès <ludo@gnu.org>	Xinglu Chen