CVE-2026-56404

An attacker can trigger a signed integer overflow in the `addBinding` function by crafting XML input that causes the `uri` length to reach the boundary of the pool block size. The overflow occurs when the loop counter `len` is incremented past the NUL terminator, leading to undefined behavior [ref_id=1]. This is a sibling of issue #1232, which involves the same pattern of an integer counter walking past a NUL terminator [ref_id=1]. The attack vector is network-based, requiring the attacker to send specially crafted XML data to an application using libexpat.

The vulnerability is in the `addBinding` function in `expat/lib/xmlparse.c`. The integer overflow occurs in two locations: the `for (len = 0; uri[len]; len++)` loop at line 4370 and the `if (parser->m_namespaceSeparator) len++;` increment at line 4411. The `uri` length is bounded by the pool block size, but the post-increment operation can still trigger signed undefined behavior at the boundary [ref_id=1].

The patch protects the `addBinding` function from signed integer overflow. While the exact diff is not shown in the reference, the fix addresses the signed undefined behavior that occurs when the loop counter `len` is incremented past the NUL terminator in the `uri` string [ref_id=1]. The fix ensures that the integer operations do not result in undefined behavior at the boundary of the pool block size [ref_id=1].