Lines Matching +full:quality +full:- +full:of +full:- +full:service
14 !! - teaming up on researching and fixing future security reports and !!
15 !! ClusterFuzz findings with few-days-max response times in communication !!
16 !! in order to (1) have a sound fix ready before the end of a 90 days !!
18 !! - helping CPython Expat bindings with supporting Expat's amplification !!
20 !! - XML_SetAllocTrackerActivationThreshold !!
21 !! - XML_SetAllocTrackerMaximumAmplification !!
22 !! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
23 !! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
24 !! - helping Perl's XML::Parser Expat bindings with supporting Expat's !!
25 !! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !!
26 !! - XML_SetAllocTrackerActivationThreshold !!
27 !! - XML_SetAllocTrackerMaximumAmplification !!
28 !! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
29 !! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
30 !! - XML_SetReparseDeferralEnabled !!
31 !! - implementing and auto-testing XML 1.0r5 support !!
33 !! - smart ideas on fixing the Autotools CMake files generation issue !!
35 !! - pushing migration from `int` to `size_t` further !!
36 !! including edge-cases test coverage (needs discussion before anything). !!
38 !! For details, please reach out via e-mail to sebastian@pipping.org so we !!
41 !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
46 #1046 #1048 Fix alignment of internal allocations for some non-amd64
48 CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
50 #1059 Fix a class of false positives where input should have been
52 CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
57 #1043 Prove and regression-proof absence of integer overflow
60 #1049 Autotools: Remove "ln -s" discovery
61 #1054 docs: Be consistent with use of floating point around
65 #1057 docs: Better integrate the effect of the activation
67 #1058 docs: Fix an in-comment typo in expat.h
69 #1041 docs: Improve change log of release 2.7.2
70 #1053 xmlwf: Resolve use of functions XML_GetErrorLineNumber
81 #1039 CI|FreeBSD: Do not install CMake meta-package
94 OSS-Fuzz / ClusterFuzz
99 #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of
101 a ~250 KiB sized document was able to cause allocation of
102 ~800 MiB from the heap, i.e. an "amplification" of factor
106 with an out-of-memory error.
107 There are two new API functions to fine-tune this new
109 - XML_SetAllocTrackerActivationThreshold
110 - XML_SetAllocTrackerMaximumAmplification .
111 If you ever need to increase these defaults for non-attack
115 of allocations debugging at runtime, disabled by default.
116 Known impact is (reliable and easy) denial of service:
119 Please note that a layer of compression around XML can
121 Distributors intending to backport (or cherry-pick) the
122 fix need to copy 99% of the related pull request, not just
123 the "lib: Implement tracking of dynamic memory allocations"
126 to the pull request URL could be of help.
131 #1004 CMake: Fix off_t detection for -Werror
132 #1007 CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
135 --help output
148 #999 #1001 Address more clang-tidy warnings
156 #1031 CI: Make calling Cppcheck without --suppress=objectIndex
157 and --suppress=unknownMacro possible
158 #1013 CI|Windows: Get off of deprecated image "windows-2019"
168 OSS-Fuzz / ClusterFuzz
174 (that the fix to CVE-2024-8176 changed in 2.7.0);
176 - XML_GetCurrentByteCount
177 - XML_GetCurrentByteIndex
178 - XML_GetCurrentColumnNumber
179 - XML_GetCurrentLineNumber
180 - XML_GetInputContext
186 #992 docs: Promote OpenSSF Best Practices self-certification
188 #986 Address Frama-C warnings
196 #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
197 for clang-tidy
211 #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
212 of entities caused by stack overflow by resolving use of
213 recursion, for all three uses of entities:
214 - general entities in character data ("<e>&g1;</e>")
215 - general entities in attribute values ("<e k1='&g1;'/>")
216 - parameter entities ("%p1;")
217 Known impact is (reliable and easy) denial of service:
220 Please note that a layer of compression around XML can
229 #921 docs: Add missing documentation of error code
233 #944 Windows: Fix installer target location of file xmlwf.xml
235 #953 Windows: Address warning -Wunknown-warning-option
236 about -Wno-pedantic-ms-format from LLVM MinGW
238 #969 #970 Mass-migrate links from http:// to https://
252 #961 Google's libprotobuf-mutator ("LPM")
254 #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh
259 #956 CI: Get off of about-to-be-removed Ubuntu 20.04
283 #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser
287 properly communicate this situation. // CWE-476 CWE-754
293 #902 tests: Reduce use of global parser instance
295 #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903)
296 #914 Fix signedness of format strings
298 use of C99 features
305 #913 CI: Drop macos-12 and add macos-15
316 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
323 Impact is denial of service to potentially artitrary code
325 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
326 integer overflow for nDefaultAtts on 32-bit platforms
328 Impact is denial of service to potentially artitrary code
330 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
331 have an integer overflow for m_groupSize on 32-bit
333 Impact is denial of service to potentially artitrary code
340 #870 Autotools: Simplify handling of SIZEOF_VOID_P
341 #869 Autotools: Support non-GNU sed
364 Dag-Erling Smørgrav
370 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
371 isolated use of external parsers. Please see the commit
372 message of commit 1d50b80cf31de87750103656f6eb693746854aa8
391 OSS-Fuzz / ClusterFuzz
395 #817 Make tests independent of CPU speed, and thus more robust
400 #829 Hide test-only code behind new internal macro
403 ./configure --without-docbook && make clean all
410 #818 CI: Adapt to breaking changes in clang-format
418 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
419 that can cause denial of service, in partial where
421 that parsed a document in one go -- a single call to
422 functions XML_Parse or XML_ParseBuffer -- were not affected.
425 Backporters should be careful to no omit parts of
428 #777 CVE-2023-52426 -- Fix billion laughs attacks for users
431 Expat >=2.4.0 (and that was CVE-2013-0340 back then).
434 #753 Fix parse-size-dependent "invalid token" error for
439 #812 #813 Protect against closing entities out of order
444 #761 #770 xmlwf: Support --help and --version
450 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode
453 #795 Autotools: Make installation of shipped man page doc/xmlwf.1
454 independent of docbook2man availability
455 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
457 against static libexpat using pkg-config on Windows
459 (a de-facto requirement already since Expat 2.2.2 of 2017)
465 #785 CMake|Windows: Fix generation of DLL file version info
467 a build with -DEXPAT_BUILD_TESTS=ON
468 #745 #757 docs: Document the importance of isFinal + adjust tests
470 #736 docs: Improve use of "NULL" and "null"
471 #713 docs: Be specific about version of XML (XML 1.0r4)
472 and version of C (C99); (XML 1.0r5 will need a sponsor.)
477 #696 docs|CI: Use HTTPS URLs instead of HTTP at various places
481 #798 #800 Address clang-tidy warnings
488 #766 docs: Improve parse buffer variables in-code documentation
493 #671 Improve handling of empty environment variable value
499 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
501 #669 CI: Be robust towards absence of Git tags
505 #798 CI: Enforce clang-tidy clean code
527 OSS-Fuzz
532 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
533 destruction of a shared DTD in function
534 XML_ExternalEntityParserCreate in out-of-memory situations.
535 Expected impact is denial of service or potentially
545 #656 CMake: Fix generation of pkg-config file
550 #666 examples: Make use of XML_GetBuffer and be more
566 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
567 function doContent. Expected impact is denial of service
571 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
572 #614 docs: Fix documentation on effect of switch XML_DTD on
576 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
578 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to
581 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
584 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
587 i.e. produce libexpat-1.dll rather than libexpat.dll
590 toolchain file "cmake/mingw-toolchain.cmake" to avoid
592 #597 #627 CMake: Unify inconsistent use of set() and option() in
593 context of public build time options to take need for
594 set(.. FORCE) in projects using Expat by means of
597 #644 Resolve use of deprecated "fgrep" by "grep -F"
601 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp
612 #637 apply-clang-format.sh: Add support for BSD find
614 #635 coverage.sh: Fix name collision for -funsigned-char
629 #587 pkg-config: Move "-lm" to section "Libs.private"
630 #587 CMake|MSVC: Fix pkg-config section "Libs"
632 "-compatibility_version <version>" and
633 "-current_version <version>" in a way compatible with
648 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
652 0123456789 % -._~ :/?#[]@ !$&'()*+,;=
656 #577 Document consequences of namespace separator choices not just
658 #577 Document Expat's lack of validation of namespace URIs against
664 be of interest.
665 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
669 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris
670 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++
682 #566 Fix a regression introduced by the fix for CVE-2022-25313
702 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
704 processing application on top of Expat can cause
706 on how invalid UTF-8 is handled inside the XML
709 #561 CVE-2022-25236 -- Passing (one or more) namespace separator
712 processor on top of Expat which can cause
717 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
719 file with a large number of opening braces.
720 Expected impact is denial of service or potentially
722 #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
725 takes a value in the gigabytes to trigger, and a 64-bit
726 machine. Expected impact is denial of service.
727 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
728 needs input in the gigabytes and a 64-bit machine.
729 Expected impact is denial of service or potentially
745 #550 CVE-2022-23852 -- Fix signed integer overflow
750 Impact is denial of service or more.
751 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function
755 Impact is denial of service or more.
777 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
787 (which needs argument "-n" when running xmlwf).
788 Impact is denial of service, or more.
789 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
792 Impact is denial of service or more.
793 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
796 - CVE-2022-22822 for function addBinding
797 - CVE-2022-22823 for function build_model
798 - CVE-2022-22824 for function defineAttribute
799 - CVE-2022-22825 for function lookup
800 - CVE-2022-22826 for function nextScaffoldPart
801 - CVE-2022-22827 for function storeAtts
802 Impact is denial of service or more.
814 #529 #539 CI: Cover compilation with -m32
832 - buildconf.sh
833 - fuzz/*.c
835 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for
836 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
837 - multi-config CMake generators (e.g. Ninja Multi-Config)
839 when asking for a buffer of 0 (zero) bytes size
864 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
865 (denial-of-service; flavors targeting CPU time or RAM or both,
869 By conservative default, amplification up to a factor of 100.0
870 is tolerated and rejection only starts after 8 MiB of output bytes
873 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
875 - Two new API functions ..
876 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
877 - XML_SetBillionLaughsAttackProtectionActivationThreshold
880 If you ever need to increase the defaults for non-attack XML
882 - Two new XML_FEATURE_* constants ..
883 - that can be queried using the XML_GetFeatureList function, and
884 - that are shown in "xmlwf -v" output.
885 - Two new environment variable switches ..
886 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
887 - EXPAT_ENTITY_DEBUG=(0|1)
888 .. for runtime debugging of accounting and entity processing.
889 Specific behavior of these values may change in the future.
890 - Two new command line arguments "-a FACTOR" and "-b BYTES"
893 If you ever need to increase the defaults for non-attack XML
897 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
898 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
899 for UTF-16 payloads containing CDATA sections.
900 #485 #486 Autotools: Fix generated CMake files for non-64bit and
901 non-Linux platforms (e.g. macOS and MinGW in particular)
919 due to addition of new symbols and error codes;
924 #457 CI: Start covering the list of exported symbols
926 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
927 #477 CI: Cover well-formedness and DocBook/XHTML validity
928 of doc/reference.html and doc/xmlwf.xml
940 OSS-Fuzz
949 of Clang 11 (but not Clang 9).
951 - malformed input files (documented) and
952 - invalid command-line arguments (undocumented).
953 The case of invalid command-line arguments now
957 #439 xmlwf: Add argument -k to allow continuing after
958 non-fatal errors
959 #439 xmlwf: Add section about exit status to the -h help output
963 #382 #428 testrunner: Make verbose mode (argument "-v") report
968 #448 Document use of libexpat from a CMake-based project
974 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
977 due to addition of error code XML_ERROR_NO_BUFFER
1004 when used with "-d DIRECTORY"
1005 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0
1006 #383 #392 Autotools: Use -Werror while configure tests the compiler
1008 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS,
1012 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
1014 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
1015 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case
1016 of -DEXPAT_BUILD_DOCS=OFF
1017 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory
1021 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
1023 CMake: Expose man page compilation as target "xmlwf-manpage"
1025 to control generation of pkg-config file "expat.pc"
1028 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
1029 default OFF to build fuzzer code against OSS-Fuzz and
1031 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
1055 #349 Windows: Change the name of the Windows DLLs from expat*.dll
1059 case-insensitive file systems on Windows and the fact that
1069 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
1076 when called from inside of an end element handler
1077 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
1078 previously, only "-d DIRECTORY" would give you a proper
1080 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
1082 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
1097 CMake, e.g.: cmake -G"Visual Studio 15 2017" .
1098 #338 xmlwf: Make "xmlwf -h" help output more friendly
1100 #244 #264 Autotools: Add argument --enable-xml-attr-info
1102 --with-getrandom
1103 --without-getrandom
1104 --with-sys-getrandom
1105 --without-sys-getrandom
1107 Autotools: Fix "make run-xmltest" for out-of-source builds
1109 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
1110 - BUILD_doc -> EXPAT_BUILD_DOCS (plural)
1111 - BUILD_examples -> EXPAT_BUILD_EXAMPLES
1112 - BUILD_shared -> EXPAT_SHARED_LIBS
1113 - BUILD_tests -> EXPAT_BUILD_TESTS
1114 - BUILD_tools -> EXPAT_BUILD_TOOLS
1115 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
1116 - INSTALL -> EXPAT_ENABLE_INSTALL
1117 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
1118 - USE_libbsd -> EXPAT_WITH_LIBBSD
1119 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
1120 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
1121 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
1122 - XML_DTD -> EXPAT_DTD
1123 - XML_NS -> EXPAT_NS
1124 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
1125 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
1126 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
1128 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
1130 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
1133 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
1134 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
1138 CMake: Now produces a summary of applied configuration
1141 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
1144 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
1145 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
1150 #308 CMake: Integrate OSS-Fuzz fuzzers, option
1151 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
1159 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
1175 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from
1177 the wrong namespace, and take a high amount of RAM and CPU
1179 use for denial-of-service attacks
1182 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop
1183 exporting non-API symbols
1184 #227 Autotools: Add --without-examples and --without-tests
1186 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang
1187 #247 #248 Autotools: Fix compilation for lack of docbook2x-man
1189 #212 CMake: Make libdir of pkgconfig expat.pc support multilib
1193 #243 Windows: Fix syntax of .def module definition files
1211 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing
1215 #165 #168 Autotools: Fix docbook-related configure syntax error
1216 #166 Autotools: Avoid grep option `-q` for Solaris
1218 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
1222 #181 Autotools: Drop -rpath option passed to libtool
1230 #176 CMake: Create the same pkg-config file as with GNU Autotools
1234 #180 Windows: Fix compilation of test suite for Visual Studio 2008
1257 #8 If the parser runs out of memory, make sure its internal
1263 #137 #138 Fix a case of mistakenly reported parsing success where
1270 #106 xmlwf: Add argument -N adding notation declarations
1276 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
1280 Windows or MinGW for 2-byte wchar_t
1285 #153 #155 Improve docbook2x-man detection
1303 #115 Fix copying of partial characters for UTF-8 input
1306 #109 Fix "make check" for non-x86 architectures that default
1307 to unsigned type char (-128..127 rather than 0..255)
1308 #109 coverage.sh: Cover -funsigned-char
1309 Autotools: Introduce --without-xmlwf argument
1311 #43 CMake: Auto-detect high quality entropy extractors, add new
1312 option USE_libbsd=ON to use arc4random_buf of libbsd
1313 #74 CMake: Add -fno-strict-aliasing only where supported
1315 #114 CMake: Compile man page if docbook2x-man is available, only
1317 (required for "make run-xmltest")
1331 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
1332 using Steve Holme's LoadLibrary wrapper for/of cURL
1342 #81 Pre-10.7/Lion macOS: Support entropy from arc4random
1343 #86 Check that a UTF-16 encoding in an XML declaration has the
1347 provider of high quality entropy
1349 Ensure that user-defined character encodings have converter
1351 Fix mis-leading description of argument -c in xmlwf.1
1354 #100 Fix use of SIPHASH_MAIN in siphash.h
1371 #43 Protect against compilation without any source of high
1372 quality entropy enabled, e.g. with CMake build system;
1375 Unintended use of LoadLibraryW with a non-wide string
1377 in quality of used entropy when compiled with _UNICODE for
1380 quality of entropy used during runtime; commits
1383 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
1388 #69 Fix improper use of unsigned long long integer literals
1395 #51 Address lack of stdint.h in Visual Studio 2003 to 2008
1398 of Dash for /bin/sh
1399 #72 CMake: Ease use of Expat in context of a parent project
1402 #76 Address compile warning with -DNDEBUG (not recommended!)
1421 CVE-2017-9233 -- External entity infinite loop DoS
1422 Details: https://libexpat.github.io/doc/cve-2017-9233/
1424 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
1426 (Fixed version of existing downstream patches!)
1427 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
1435 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
1438 [MOX-005] #30 Use high quality entropy for hash initialization:
1440 (when configured with --with-libbsd), CloudABI
1443 In a way, that's still part of CVE-2016-5300.
1445 [MOX-005] For the low quality entropy extraction fallback code,
1448 [MOX-003] Prevent use of uninitialised variable; commit
1449 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
1452 [MOX-006] * NULL checks; commits
1457 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
1458 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
1459 to go further with fixing CVE-2012-0876.
1463 #32 Fix sharing of hash salt across parsers;
1466 #28 xmlwf: Auto-disable use of memory-mapping (and parsing
1468 rather than failing with error "out of memory"
1473 found by Google's OSS-Fuzz; commits
1480 for runtime debugging of entropy extraction
1484 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
1486 of Windows; 4-byte wchar_t is common on Linux
1487 (SF.net) #538 Start using -fno-strict-aliasing
1488 (SF.net) #540 Support compilation against cloudlibc of CloudABI
1489 Allow MinGW cross-compilation
1491 to bypass compilation of the xmlwf.1 man page
1493 to bypass installation of expat files
1495 Autotools: Add parameters --enable-xml-context [COUNT]
1496 and --disable-xml-context; default of context of 1024
1504 * Pre-X Mac OS (MPW Makefile)
1505 If you happen to rely on some of these, please get in
1508 #13 Fix "make run-xmltest" order instability
1516 #1 Re-create http://libexpat.org/ project website
1536 #537 CVE-2016-0718 -- Fix crash on malformed input
1537 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
1538 CVE-2015-2716 introduced with Expat 2.1.1
1539 #499 CVE-2016-5300 -- Use more entropy for hash initialization
1540 than the original fix to CVE-2012-0876
1541 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand
1543 when addressing CVE-2012-0876 (issue #496)
1546 Fix uninitialized reads of size 1
1548 Fix detection of UTF-8 character boundaries
1552 Autotools: Resolve use of "$<" to better support bmake
1555 Autotools: Fix "make run-xmltest"
1556 Autotools: Have "make run-xmltest" check for expected output
1558 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
1564 -fvisibility=hidden
1566 Resolve COMPILED_FROM_DSP in favor of WIN32
1585 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
1590 Output of "xmlwf -h" was incomplete
1593 #503: Document behavior of calling XML_SetHashSalt with salt 0
1596 libtool now invoked with --verbose
1599 - Security fixes:
1600 #2958794: CVE-2012-1148 - Memory leak in poolGrow.
1601 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
1602 #3496608: CVE-2012-0876 - Hash DOS attack.
1603 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
1604 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
1605 - Bug Fixes:
1607 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
1609 Build modifications using autoreconf instead of buildconf.sh.
1611 #2517938: xmlwf should return non-zero exit status if not well-formed.
1617 #3287849: make check fails on mingw-w64.
1618 - Patches:
1619 #1749198: pkg-config support.
1623 - New Features / API changes:
1625 value (salt) for hash calculations. This is part of the fix for
1632 Added run-benchmark target to Makefile.in - relies on testdata module
1636 - Fixed bugs #1515266, #1515600: The character data handler's calling
1637 of XML_StopParser() was not handled properly; if the parser was
1639 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
1641 - Minor cleanups of the test harness.
1642 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
1643 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
1644 - Fixes and improvements for Windows platform:
1646 - Build fixes for various platforms:
1647 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
1650 without relying on GNU-Make specific features.
1652 - Fixes to Makefile.in to have make check work correctly:
1654 - Added Open Watcom support: patch #1523242.
1657 - We no longer use the "check" library for C unit testing; we
1658 always use the (partial) internal implementation of the API.
1659 - Report XML_NS setting via XML_GetFeatureList().
1660 - Fixed headers for use from C++.
1661 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
1663 - Added XML_LARGE_SIZE switch to enable 64-bit integers for
1665 - Updated to use libtool 1.5.22 (the most recent).
1666 - Added support for AmigaOS.
1667 - Some mostly minor bug fixes. SF issues include: #1006708,
1671 - Major new feature: suspend/resume. Handlers can now request
1675 - Some mostly minor bug fixes, but compilation should no
1681 - Fixed enum XML_Status issue (reported on SourceForge many
1683 - Introduced an XMLCALL macro to control the calling
1685 to annotate prototypes and definitions of callback
1688 - Improved ability to build without the configure-generated
1691 - Fixed a variety of bugs: see SF issues #458907, #609603,
1694 - Improved hash table lookups.
1695 - Added more regression tests and improved documentation.
1698 - Added XML_FreeContentModel().
1699 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
1700 - Fixed a variety of bugs: see SF issues #615606, #616863,
1702 - Enhanced the regression test suite.
1703 - Man page improvements: includes SF issue #632146.
1706 - Added XML_UseForeignDTD() for improved SAX2 support.
1707 - Added XML_GetFeatureList().
1708 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
1709 - Use an incomplete struct instead of a void* for the parser
1711 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
1712 - Finally fixed bug where default handler would report DTD
1715 - Removed unnecessary DllMain() function that caused static
1717 - Added VC++ projects for building static libraries.
1718 - Reduced line-length for all source code and headers to be
1720 - Reduced memory copying during parsing (SF patch #600964).
1721 - Fixed a variety of bugs: see SF issues #580793, #434664,
1726 - Added support for VMS, contributed by Craig Berry. See
1728 - Added Mac OS (classic) support, with a makefile for MPW,
1730 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
1732 - Fixed a variety of bugs: see SF issues #441449, #563184,
1734 - Made skippedEntityHandler conform to SAX2 (see source comment)
1735 - Re-implemented WFC: Entity Declared from XML 1.0 spec and
1738 - Re-implemented section 5.1 from XML 1.0 spec:
1742 - Added a project to the MSVC workspace to create a wchar_t
1743 version of the library; the DLLs are named libexpatw.dll.
1744 - Changed the name of the Windows DLLs from expat.dll to
1746 - Added the XML_ParserReset() API function.
1747 - Fixed XML_SetReturnNSTriplet() to work for element names.
1748 - Made the XML_UNICODE builds usable (thanks, Karl!).
1749 - Allow xmlwf to read from standard input.
1750 - Install a man page for xmlwf on Unix systems.
1751 - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
1754 have been fixed, especially in the area of build support.
1757 - More changes to make MSVC happy with the build; add a single
1759 - Added a Windows installer for Windows users; includes
1761 - Added compile-time constants that can be used to determine the
1763 - Removed a lot of GNU-specific dependencies to aide portability
1765 - Fix the UTF-8 BOM bug.
1766 - Cleaned up warning messages for several compilers.
1767 - Added the -Wall, -Wstrict-prototypes options for GCC.
1770 - Changes to get expat to build under Microsoft compiler
1771 - Removed all aborts and instead return an UNEXPECTED_STATE error.
1772 - Fixed a bug where a stray '%' in an entity value would cause an
1774 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
1776 - Changed default patterns in lib/Makefile.in to fit non-GNU makes
1779 - The reference had the wrong label for XML_SetStartNamespaceDecl.
1783 - XML_ParserCreate_MM
1786 - XML_SetReturnNSTriplet
1791 - Merged in features from perl-expat
1800 o XML_GetInputContext for getting the input context of
1802 - Added reference material
1803 - Packaged into a distribution that builds a sharable library