Lines Matching +full:hall +full:- +full:enable
14 !! - <blink>fixing a complex non-public security issue</blink>, !!
15 !! - teaming up on researching and fixing future security reports and !!
16 !! ClusterFuzz findings with few-days-max response times in communication !!
19 !! - implementing and auto-testing XML 1.0r5 support !!
21 !! - smart ideas on fixing the Autotools CMake files generation issue !!
23 !! - the Windows binaries topic (needs requirements engineering first), !!
24 !! - pushing migration from `int` to `size_t` further !!
25 !! including edge-cases test coverage (needs discussion before anything). !!
27 !! For details, please reach out via e-mail to sebastian@pipping.org so we !!
30 !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
35 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
44 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
45 integer overflow for nDefaultAtts on 32-bit platforms
49 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
50 have an integer overflow for m_groupSize on 32-bit
60 #869 Autotools: Support non-GNU sed
83 Dag-Erling Smørgrav
89 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
110 OSS-Fuzz / ClusterFuzz
119 #829 Hide test-only code behind new internal macro
122 ./configure --without-docbook && make clean all
129 #818 CI: Adapt to breaking changes in clang-format
132 David Hall
137 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
140 that parsed a document in one go -- a single call to
141 functions XML_Parse or XML_ParseBuffer -- were not affected.
147 #777 CVE-2023-52426 -- Fix billion laughs attacks for users
150 Expat >=2.4.0 (and that was CVE-2013-0340 back then).
153 #753 Fix parse-size-dependent "invalid token" error for
163 #761 #770 xmlwf: Support --help and --version
169 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode
174 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
176 against static libexpat using pkg-config on Windows
178 (a de-facto requirement already since Expat 2.2.2 of 2017)
186 a build with -DEXPAT_BUILD_TESTS=ON
200 #798 #800 Address clang-tidy warnings
207 #766 docs: Improve parse buffer variables in-code documentation
218 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
224 #798 CI: Enforce clang-tidy clean code
246 OSS-Fuzz
251 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
253 XML_ExternalEntityParserCreate in out-of-memory situations.
264 #656 CMake: Fix generation of pkg-config file
285 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
290 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
295 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
300 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
303 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
306 i.e. produce libexpat-1.dll rather than libexpat.dll
309 toolchain file "cmake/mingw-toolchain.cmake" to avoid
316 #644 Resolve use of deprecated "fgrep" by "grep -F"
320 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp
331 #637 apply-clang-format.sh: Add support for BSD find
333 #635 coverage.sh: Fix name collision for -funsigned-char
348 #587 pkg-config: Move "-lm" to section "Libs.private"
349 #587 CMake|MSVC: Fix pkg-config section "Libs"
351 "-compatibility_version <version>" and
352 "-current_version <version>" in a way compatible with
367 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
371 0123456789 % -._~ :/?#[]@ !$&'()*+,;=
401 #566 Fix a regression introduced by the fix for CVE-2022-25313
421 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
425 on how invalid UTF-8 is handled inside the XML
428 #561 CVE-2022-25236 -- Passing (one or more) namespace separator
436 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
441 #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
444 takes a value in the gigabytes to trigger, and a 64-bit
446 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
447 needs input in the gigabytes and a 64-bit machine.
464 #550 CVE-2022-23852 -- Fix signed integer overflow
470 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function
496 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
506 (which needs argument "-n" when running xmlwf).
508 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
512 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
515 - CVE-2022-22822 for function addBinding
516 - CVE-2022-22823 for function build_model
517 - CVE-2022-22824 for function defineAttribute
518 - CVE-2022-22825 for function lookup
519 - CVE-2022-22826 for function nextScaffoldPart
520 - CVE-2022-22827 for function storeAtts
533 #529 #539 CI: Cover compilation with -m32
551 - buildconf.sh
552 - fuzz/*.c
554 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for
555 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
556 - multi-config CMake generators (e.g. Ninja Multi-Config)
583 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
584 (denial-of-service; flavors targeting CPU time or RAM or both,
592 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
594 - Two new API functions ..
595 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
596 - XML_SetBillionLaughsAttackProtectionActivationThreshold
599 If you ever need to increase the defaults for non-attack XML
601 - Two new XML_FEATURE_* constants ..
602 - that can be queried using the XML_GetFeatureList function, and
603 - that are shown in "xmlwf -v" output.
604 - Two new environment variable switches ..
605 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
606 - EXPAT_ENTITY_DEBUG=(0|1)
609 - Two new command line arguments "-a FACTOR" and "-b BYTES"
612 If you ever need to increase the defaults for non-attack XML
616 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
617 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
618 for UTF-16 payloads containing CDATA sections.
619 #485 #486 Autotools: Fix generated CMake files for non-64bit and
620 non-Linux platforms (e.g. macOS and MinGW in particular)
642 #456 CI: Enable periodic runs
645 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
646 #477 CI: Cover well-formedness and DocBook/XHTML validity
659 OSS-Fuzz
670 - malformed input files (documented) and
671 - invalid command-line arguments (undocumented).
672 The case of invalid command-line arguments now
676 #439 xmlwf: Add argument -k to allow continuing after
677 non-fatal errors
678 #439 xmlwf: Add section about exit status to the -h help output
682 #382 #428 testrunner: Make verbose mode (argument "-v") report
687 #448 Document use of libexpat from a CMake-based project
723 when used with "-d DIRECTORY"
725 #383 #392 Autotools: Use -Werror while configure tests the compiler
731 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
733 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
734 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case
735 of -DEXPAT_BUILD_DOCS=OFF
740 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
742 CMake: Expose man page compilation as target "xmlwf-manpage"
744 to control generation of pkg-config file "expat.pc"
747 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
748 default OFF to build fuzzer code against OSS-Fuzz and
750 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
778 case-insensitive file systems on Windows and the fact that
788 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
796 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
797 previously, only "-d DIRECTORY" would give you a proper
799 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
801 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
816 CMake, e.g.: cmake -G"Visual Studio 15 2017" .
817 #338 xmlwf: Make "xmlwf -h" help output more friendly
819 #244 #264 Autotools: Add argument --enable-xml-attr-info
821 --with-getrandom
822 --without-getrandom
823 --with-sys-getrandom
824 --without-sys-getrandom
826 Autotools: Fix "make run-xmltest" for out-of-source builds
829 - BUILD_doc -> EXPAT_BUILD_DOCS (plural)
830 - BUILD_examples -> EXPAT_BUILD_EXAMPLES
831 - BUILD_shared -> EXPAT_SHARED_LIBS
832 - BUILD_tests -> EXPAT_BUILD_TESTS
833 - BUILD_tools -> EXPAT_BUILD_TOOLS
834 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
835 - INSTALL -> EXPAT_ENABLE_INSTALL
836 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
837 - USE_libbsd -> EXPAT_WITH_LIBBSD
838 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
839 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
840 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
841 - XML_DTD -> EXPAT_DTD
842 - XML_NS -> EXPAT_NS
843 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
844 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
845 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
847 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
849 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
852 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
853 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
860 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
862 #330 CMake: Add full support for MinGW; to enable, use
863 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
864 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
869 #308 CMake: Integrate OSS-Fuzz fuzzers, option
870 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
878 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
894 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from
898 use for denial-of-service attacks
901 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop
902 exporting non-API symbols
903 #227 Autotools: Add --without-examples and --without-tests
905 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang
906 #247 #248 Autotools: Fix compilation for lack of docbook2x-man
930 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing
934 #165 #168 Autotools: Fix docbook-related configure syntax error
935 #166 Autotools: Avoid grep option `-q` for Solaris
937 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
941 #181 Autotools: Drop -rpath option passed to libtool
949 #176 CMake: Create the same pkg-config file as with GNU Autotools
989 #106 xmlwf: Add argument -N adding notation declarations
995 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
999 Windows or MinGW for 2-byte wchar_t
1004 #153 #155 Improve docbook2x-man detection
1022 #115 Fix copying of partial characters for UTF-8 input
1025 #109 Fix "make check" for non-x86 architectures that default
1026 to unsigned type char (-128..127 rather than 0..255)
1027 #109 coverage.sh: Cover -funsigned-char
1028 Autotools: Introduce --without-xmlwf argument
1030 #43 CMake: Auto-detect high quality entropy extractors, add new
1032 #74 CMake: Add -fno-strict-aliasing only where supported
1034 #114 CMake: Compile man page if docbook2x-man is available, only
1036 (required for "make run-xmltest")
1050 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
1061 #81 Pre-10.7/Lion macOS: Support entropy from arc4random
1062 #86 Check that a UTF-16 encoding in an XML declaration has the
1068 Ensure that user-defined character encodings have converter
1070 Fix mis-leading description of argument -c in xmlwf.1
1094 Unintended use of LoadLibraryW with a non-wide string
1102 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
1121 #76 Address compile warning with -DNDEBUG (not recommended!)
1140 CVE-2017-9233 -- External entity infinite loop DoS
1141 Details: https://libexpat.github.io/doc/cve-2017-9233/
1143 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
1146 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
1154 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
1157 [MOX-005] #30 Use high quality entropy for hash initialization:
1159 (when configured with --with-libbsd), CloudABI
1162 In a way, that's still part of CVE-2016-5300.
1164 [MOX-005] For the low quality entropy extraction fallback code,
1167 [MOX-003] Prevent use of uninitialised variable; commit
1168 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
1171 [MOX-006] * NULL checks; commits
1176 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
1177 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
1178 to go further with fixing CVE-2012-0876.
1185 #28 xmlwf: Auto-disable use of memory-mapping (and parsing
1192 found by Google's OSS-Fuzz; commits
1205 of Windows; 4-byte wchar_t is common on Linux
1206 (SF.net) #538 Start using -fno-strict-aliasing
1208 Allow MinGW cross-compilation
1214 Autotools: Add parameters --enable-xml-context [COUNT]
1215 and --disable-xml-context; default of context of 1024
1223 * Pre-X Mac OS (MPW Makefile)
1227 #13 Fix "make run-xmltest" order instability
1235 #1 Re-create http://libexpat.org/ project website
1255 #537 CVE-2016-0718 -- Fix crash on malformed input
1256 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
1257 CVE-2015-2716 introduced with Expat 2.1.1
1258 #499 CVE-2016-5300 -- Use more entropy for hash initialization
1259 than the original fix to CVE-2012-0876
1260 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand
1262 when addressing CVE-2012-0876 (issue #496)
1267 Fix detection of UTF-8 character boundaries
1274 Autotools: Fix "make run-xmltest"
1275 Autotools: Have "make run-xmltest" check for expected output
1277 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
1283 -fvisibility=hidden
1304 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
1309 Output of "xmlwf -h" was incomplete
1315 libtool now invoked with --verbose
1318 - Security fixes:
1319 #2958794: CVE-2012-1148 - Memory leak in poolGrow.
1320 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
1321 #3496608: CVE-2012-0876 - Hash DOS attack.
1322 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
1323 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
1324 - Bug Fixes:
1326 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
1330 #2517938: xmlwf should return non-zero exit status if not well-formed.
1336 #3287849: make check fails on mingw-w64.
1337 - Patches:
1338 #1749198: pkg-config support.
1342 - New Features / API changes:
1351 Added run-benchmark target to Makefile.in - relies on testdata module
1355 - Fixed bugs #1515266, #1515600: The character data handler's calling
1358 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
1360 - Minor cleanups of the test harness.
1361 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
1362 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
1363 - Fixes and improvements for Windows platform:
1365 - Build fixes for various platforms:
1366 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
1369 without relying on GNU-Make specific features.
1371 - Fixes to Makefile.in to have make check work correctly:
1373 - Added Open Watcom support: patch #1523242.
1376 - We no longer use the "check" library for C unit testing; we
1378 - Report XML_NS setting via XML_GetFeatureList().
1379 - Fixed headers for use from C++.
1380 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
1382 - Added XML_LARGE_SIZE switch to enable 64-bit integers for
1384 - Updated to use libtool 1.5.22 (the most recent).
1385 - Added support for AmigaOS.
1386 - Some mostly minor bug fixes. SF issues include: #1006708,
1390 - Major new feature: suspend/resume. Handlers can now request
1394 - Some mostly minor bug fixes, but compilation should no
1400 - Fixed enum XML_Status issue (reported on SourceForge many
1402 - Introduced an XMLCALL macro to control the calling
1407 - Improved ability to build without the configure-generated
1410 - Fixed a variety of bugs: see SF issues #458907, #609603,
1413 - Improved hash table lookups.
1414 - Added more regression tests and improved documentation.
1417 - Added XML_FreeContentModel().
1418 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
1419 - Fixed a variety of bugs: see SF issues #615606, #616863,
1421 - Enhanced the regression test suite.
1422 - Man page improvements: includes SF issue #632146.
1425 - Added XML_UseForeignDTD() for improved SAX2 support.
1426 - Added XML_GetFeatureList().
1427 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
1428 - Use an incomplete struct instead of a void* for the parser
1430 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
1431 - Finally fixed bug where default handler would report DTD
1434 - Removed unnecessary DllMain() function that caused static
1436 - Added VC++ projects for building static libraries.
1437 - Reduced line-length for all source code and headers to be
1439 - Reduced memory copying during parsing (SF patch #600964).
1440 - Fixed a variety of bugs: see SF issues #580793, #434664,
1445 - Added support for VMS, contributed by Craig Berry. See
1447 - Added Mac OS (classic) support, with a makefile for MPW,
1449 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
1451 - Fixed a variety of bugs: see SF issues #441449, #563184,
1453 - Made skippedEntityHandler conform to SAX2 (see source comment)
1454 - Re-implemented WFC: Entity Declared from XML 1.0 spec and
1457 - Re-implemented section 5.1 from XML 1.0 spec:
1461 - Added a project to the MSVC workspace to create a wchar_t
1463 - Changed the name of the Windows DLLs from expat.dll to
1465 - Added the XML_ParserReset() API function.
1466 - Fixed XML_SetReturnNSTriplet() to work for element names.
1467 - Made the XML_UNICODE builds usable (thanks, Karl!).
1468 - Allow xmlwf to read from standard input.
1469 - Install a man page for xmlwf on Unix systems.
1470 - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
1476 - More changes to make MSVC happy with the build; add a single
1478 - Added a Windows installer for Windows users; includes
1480 - Added compile-time constants that can be used to determine the
1482 - Removed a lot of GNU-specific dependencies to aide portability
1484 - Fix the UTF-8 BOM bug.
1485 - Cleaned up warning messages for several compilers.
1486 - Added the -Wall, -Wstrict-prototypes options for GCC.
1489 - Changes to get expat to build under Microsoft compiler
1490 - Removed all aborts and instead return an UNEXPECTED_STATE error.
1491 - Fixed a bug where a stray '%' in an entity value would cause an
1493 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
1495 - Changed default patterns in lib/Makefile.in to fit non-GNU makes
1498 - The reference had the wrong label for XML_SetStartNamespaceDecl.
1502 - XML_ParserCreate_MM
1505 - XML_SetReturnNSTriplet
1510 - Merged in features from perl-expat
1521 - Added reference material
1522 - Packaged into a distribution that builds a sharable library