diff --git a/backport-CVE-2024-50602-testcase.patch b/backport-CVE-2024-50602-testcase.patch
new file mode 100644
index 0000000000000000000000000000000000000000..583ce511eafe4899fefa1c73de1d766b8c102862
--- /dev/null
+++ b/backport-CVE-2024-50602-testcase.patch
@@ -0,0 +1,88 @@
+From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 20 Oct 2024 23:24:27 +0200
+Subject: [PATCH 3/3] tests: Cover XML_StopParser's new handling of status
+ XML_INITIALIZED
+
+Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing
+would crash with a NULL pointer dereference in function normal_updatePosition.
+This was the AddressSanitizer output:
+
+> AddressSanitizer:DEADLYSIGNAL
+> =================================================================
+> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0)
+> ==19700==The signal is caused by a READ memory access.
+> ==19700==Hint: address points to the zero page.
+>     #0 0x5623e07ad85f in normal_updatePosition [..]/lib/xmltok_impl.c:1781:13
+>     #1 0x5623e07a52ff in initUpdatePosition [..]/lib/xmltok.c:1031:3
+>     #2 0x5623e0762760 in XML_ResumeParser [..]/lib/xmlparse.c:2297:3
+>     #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp
+>     #4 0x5623e074e228 in srunner_run_all ([..]/build_asan_fuzzers/tests/runtests_cxx+0x136228)
+>     #5 0x5623e0753d2d in main ([..]/build_asan_fuzzers/tests/runtests_cxx+0x13bd2d)
+>     #6 0x7f802a39af79  (/lib64/libc.so.6+0x25f79)
+>     #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034)
+>     #8 0x5623e064f340 in _start ([..]/build_asan_fuzzers/tests/runtests_cxx+0x37340)
+>
+> AddressSanitizer can not provide additional info.
+> SUMMARY: AddressSanitizer: SEGV [..]/lib/xmltok_impl.c:1781:13 in normal_updatePosition
+> ==19700==ABORTING
+
+And this the UndefinedBehaviorSanitizer output:
+
+> [..]/lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char'
+> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior [..]/lib/xmltok_impl.c:1781:13 in
+---
+ tests/runtests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 3c710d9..9f85011 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -8089,6 +8089,34 @@ START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
+ }
+ END_TEST
+ 
++START_TEST(test_misc_resumeparser_not_crashing) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  XML_GetBuffer(parser, 1);
++  XML_StopParser(parser, /*resumable=*/XML_TRUE);
++  XML_ResumeParser(parser); // could crash here, previously
++  XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
++  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
++  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    const XML_Bool resumable = cases[i];
++    XML_Parser parser = XML_ParserCreate(NULL);
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
++       fail("There was not supposed to be any initial parse error.");
++
++   if (XML_StopParser(parser, resumable) != XML_STATUS_ERROR)
++       fail("Attempting to suspend a subordinate parser not faulted.");
++
++   if (XML_GetErrorCode(parser) != XML_ERROR_NOT_STARTED)
++       fail("parser not started.");
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ static void
+ alloc_setup(void) {
+   XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
+@@ -12575,6 +12603,8 @@ make_suite(void) {
+   tcase_add_test(tc_misc, test_misc_stop_during_end_handler_issue_240_2);
+   tcase_add_test__ifdef_xml_dtd(
+       tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
++  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
++  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ 
+   suite_add_tcase(s, tc_alloc);
+   tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
+-- 
+2.27.0
+
diff --git a/backport-CVE-2024-50602.patch b/backport-CVE-2024-50602.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cfe36e51c62e068c27eb23b0d20299e671419a20
--- /dev/null
+++ b/backport-CVE-2024-50602.patch
@@ -0,0 +1,71 @@
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+---
+ lib/expat.h    |  4 +++-
+ lib/xmlparse.c | 11 ++++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 29f0d1e..c5e7d02 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -117,7 +117,9 @@ enum XML_Error {
+   /* Added in 2.2.1. */
+   XML_ERROR_INVALID_ARGUMENT,
+   /* Added in 2.2.9. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
++  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
++  /* Added in 2.6.4. */
++  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 56af19f..f06ed81 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2173,6 +2173,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
++  case XML_INITIALIZED:
++    parser->m_errorCode = XML_ERROR_NOT_STARTED;
++    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2183,7 +2186,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
++  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2194,6 +2197,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
++    break;
++  default:
++    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+@@ -2454,6 +2460,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
++  /* Added in 2.6.4. */
++  case XML_ERROR_NOT_STARTED:
++    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+-- 
+2.27.0
+
diff --git a/expat.spec b/expat.spec
index 1d57f280218ce51a832084c375fbf93136570a4e..847d45ab859f81d2f2793d0064f9d26c6d2bcaa3 100644
--- a/expat.spec
+++ b/expat.spec
@@ -1,7 +1,7 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
 Version:        2.2.9
-Release:        14
+Release:        15
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
@@ -74,6 +74,8 @@ Patch62:        backport-001-CVE-2024-45490.patch
 Patch63:        backport-002-CVE-2024-45490.patch
 Patch64:        backport-CVE-2024-45491.patch
 Patch65:        backport-CVE-2024-45492.patch
+Patch66:        backport-CVE-2024-50602.patch
+Patch67:        backport-CVE-2024-50602-testcase.patch
 
 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto
 
@@ -126,6 +128,9 @@ make check
 %{_mandir}/man1/*
 
 %changelog
+* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.2.9-15
+- fix CVE-2024-50602
+
 * Wed Sep 04 2024 Funda Wang <fundawang@yeah.net> - 2.2.9-14
 - fix CVE-2024-45491, CVE-2024-45492