CVE-2026-56132

An attacker can trigger this by crafting an XML document that uses external parameter entities to share DTD data-structures across parsers. The document includes deeply nested element declarations that cause the `scaffIndex` array to be reallocated in one parser context, while the shared DTD retains a stale size. When the other parser writes to `scaffIndex` using the stale size, it overflows the heap buffer. The attacker controls the XML input and can arrange for the external entity to be parsed, satisfying the precondition that `XML_SetParamEntityParsing` is set to `XML_PARAM_ENTITY_PARSING_ALWAYS`.

The vulnerability is in `expat/lib/xmlparse.c`, specifically in the `doProlog` function and the `dtdCopy` function. The `scaffIndex` array and its size tracking (`scaffIndexSize`) are shared across parsers via `dtdCopy`, but the old code only tracked the size implicitly through `m_groupSize` in the parser, not in the DTD structure itself. When an external entity parser shares the DTD, the `scaffIndex` can be reallocated to a smaller size than expected, leading to a heap-based buffer overflow.

The patch introduces a new `scaffIndexSize` field in the `DTD` struct to explicitly track the allocated size of the `scaffIndex` array. Previously, the size was only implicitly tracked via `m_groupSize` in the parser, which was not reliable when the DTD was shared across parsers via `dtdCopy`. The patch adds a bounds check in `doProlog` that compares `dtd->scaffLevel` against `dtd->scaffIndexSize` before writing, and reallocates the array if needed. It also initializes `scaffIndexSize` to 0 in `dtdCreate` and `dtdReset`, and copies it in `dtdCopy` so the size is correctly propagated to shared DTDs.