[CVE-2026-56410] xmlwf: protect resolveSystemId from integer overflow

[netliomax25-code]

resolveSystemId builds an absolute path by allocating (tcslen(base) + tcslen(systemId) + 2) * sizeof(XML_Char), then copies base and systemId in. systemId comes from an external entity SYSTEM identifier, so on a wide-char build the multiply can wrap and under-allocate, leaving the following tcscpy/tcscat to overflow the heap. Guard the count against SIZE_MAX / sizeof(XML_Char) before the malloc, like copyString does, and fall back to systemId as the malloc-failure path already does.

[hartwork]

@netliomax25-code the suggested patch may not be enough, please see below:

[Smattr]

This might be a silly question, but where does the + 2 come from? git blame tells me, originally, 5bfaa29, but this still does not explain. AFAICT this code copies at most the length of the other two strings + 1 character.

(I realise this is not being changed in this PR, but just wondering while we’re here adding overflow checks if the value overflowing is even the correct sum.)

[netliomax25-code]

@Smattr you're right, the worst case is tcslen(base) (the part kept before the last separator) + tcslen(systemId) + 1 for the NUL, so +1 would be enough and +2 over-allocates by one char. Looks like a harmless off-by-one from the original commit rather than something load-bearing. I left it alone here to keep this PR scoped to the overflow guard, but happy to trim it to +1 in a separate change if you'd prefer.

[hartwork]

@netliomax25-code thanks for the adjustments!

[hartwork]

@Smattr @netliomax25-code I believe the additional "plus 1" was intended for insertion of a delimiter, just the code after at…

libexpat/expat/xmlwf/xmlfile.c

Lines 145 to 153 in 8d28505

	tcscpy(*toFree, base);
	s = *toFree;
	if (tcsrchr(s, T('/')))
	s = tcsrchr(s, T('/')) + 1;
	#if defined(_WIN32)
	if (tcsrchr(s, T('\\')))
	s = tcsrchr(s, T('\\')) + 1;
	#endif
	tcscpy(s, systemId);

…does not add a delimiter (but look for existing ones). My vote for a dedicated follow-up pull request.

[netliomax25-code]

Agreed, follow-up it is. I'll open a separate PR to trim the +2 to +1 since nothing inserts a delimiter, so base + systemId + 1 for the NUL is all we need. Keeping this one scoped to the overflow guard.

[hartwork]

CVE-2026-56410 has been assigned