Lines Matching +full:hall +full:- +full:switch +full:-
14 !! - <blink>fixing a complex non-public security issue</blink>, !!
15 !! - teaming up on researching and fixing future security reports and !!
16 !! ClusterFuzz findings with few-days-max response times in communication !!
19 !! - implementing and auto-testing XML 1.0r5 support !!
21 !! - smart ideas on fixing the Autotools CMake files generation issue !!
23 !! - the Windows binaries topic (needs requirements engineering first), !!
24 !! - pushing migration from `int` to `size_t` further !!
25 !! including edge-cases test coverage (needs discussion before anything). !!
27 !! For details, please reach out via e-mail to sebastian@pipping.org so we !!
30 !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
35 #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser
39 properly communicate this situation. // CWE-476 CWE-754
47 #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903)
55 #913 CI: Drop macos-12 and add macos-15
66 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
75 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
76 integer overflow for nDefaultAtts on 32-bit platforms
80 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
81 have an integer overflow for m_groupSize on 32-bit
91 #869 Autotools: Support non-GNU sed
114 Dag-Erling Smørgrav
120 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
141 OSS-Fuzz / ClusterFuzz
150 #829 Hide test-only code behind new internal macro
153 ./configure --without-docbook && make clean all
160 #818 CI: Adapt to breaking changes in clang-format
163 David Hall
168 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
171 that parsed a document in one go -- a single call to
172 functions XML_Parse or XML_ParseBuffer -- were not affected.
178 #777 CVE-2023-52426 -- Fix billion laughs attacks for users
181 Expat >=2.4.0 (and that was CVE-2013-0340 back then).
184 #753 Fix parse-size-dependent "invalid token" error for
194 #761 #770 xmlwf: Support --help and --version
200 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode
205 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
207 against static libexpat using pkg-config on Windows
209 (a de-facto requirement already since Expat 2.2.2 of 2017)
217 a build with -DEXPAT_BUILD_TESTS=ON
231 #798 #800 Address clang-tidy warnings
238 #766 docs: Improve parse buffer variables in-code documentation
249 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
255 #798 CI: Enforce clang-tidy clean code
277 OSS-Fuzz
282 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
284 XML_ExternalEntityParserCreate in out-of-memory situations.
295 #656 CMake: Fix generation of pkg-config file
316 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
321 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
322 #614 docs: Fix documentation on effect of switch XML_DTD on
326 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
331 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
334 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
337 i.e. produce libexpat-1.dll rather than libexpat.dll
340 toolchain file "cmake/mingw-toolchain.cmake" to avoid
347 #644 Resolve use of deprecated "fgrep" by "grep -F"
351 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp
362 #637 apply-clang-format.sh: Add support for BSD find
364 #635 coverage.sh: Fix name collision for -funsigned-char
379 #587 pkg-config: Move "-lm" to section "Libs.private"
380 #587 CMake|MSVC: Fix pkg-config section "Libs"
382 "-compatibility_version <version>" and
383 "-current_version <version>" in a way compatible with
398 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
402 0123456789 % -._~ :/?#[]@ !$&'()*+,;=
432 #566 Fix a regression introduced by the fix for CVE-2022-25313
452 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
456 on how invalid UTF-8 is handled inside the XML
459 #561 CVE-2022-25236 -- Passing (one or more) namespace separator
467 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
472 #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
475 takes a value in the gigabytes to trigger, and a 64-bit
477 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
478 needs input in the gigabytes and a 64-bit machine.
495 #550 CVE-2022-23852 -- Fix signed integer overflow
501 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function
527 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
537 (which needs argument "-n" when running xmlwf).
539 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
543 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
546 - CVE-2022-22822 for function addBinding
547 - CVE-2022-22823 for function build_model
548 - CVE-2022-22824 for function defineAttribute
549 - CVE-2022-22825 for function lookup
550 - CVE-2022-22826 for function nextScaffoldPart
551 - CVE-2022-22827 for function storeAtts
564 #529 #539 CI: Cover compilation with -m32
582 - buildconf.sh
583 - fuzz/*.c
585 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for
586 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
587 - multi-config CMake generators (e.g. Ninja Multi-Config)
614 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
615 (denial-of-service; flavors targeting CPU time or RAM or both,
623 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
625 - Two new API functions ..
626 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
627 - XML_SetBillionLaughsAttackProtectionActivationThreshold
630 If you ever need to increase the defaults for non-attack XML
632 - Two new XML_FEATURE_* constants ..
633 - that can be queried using the XML_GetFeatureList function, and
634 - that are shown in "xmlwf -v" output.
635 - Two new environment variable switches ..
636 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
637 - EXPAT_ENTITY_DEBUG=(0|1)
640 - Two new command line arguments "-a FACTOR" and "-b BYTES"
643 If you ever need to increase the defaults for non-attack XML
647 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
648 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
649 for UTF-16 payloads containing CDATA sections.
650 #485 #486 Autotools: Fix generated CMake files for non-64bit and
651 non-Linux platforms (e.g. macOS and MinGW in particular)
676 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
677 #477 CI: Cover well-formedness and DocBook/XHTML validity
690 OSS-Fuzz
701 - malformed input files (documented) and
702 - invalid command-line arguments (undocumented).
703 The case of invalid command-line arguments now
707 #439 xmlwf: Add argument -k to allow continuing after
708 non-fatal errors
709 #439 xmlwf: Add section about exit status to the -h help output
713 #382 #428 testrunner: Make verbose mode (argument "-v") report
718 #448 Document use of libexpat from a CMake-based project
754 when used with "-d DIRECTORY"
756 #383 #392 Autotools: Use -Werror while configure tests the compiler
762 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
764 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
765 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case
766 of -DEXPAT_BUILD_DOCS=OFF
771 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
773 CMake: Expose man page compilation as target "xmlwf-manpage"
775 to control generation of pkg-config file "expat.pc"
778 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
779 default OFF to build fuzzer code against OSS-Fuzz and
781 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
809 case-insensitive file systems on Windows and the fact that
819 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
827 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
828 previously, only "-d DIRECTORY" would give you a proper
830 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
832 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
847 CMake, e.g.: cmake -G"Visual Studio 15 2017" .
848 #338 xmlwf: Make "xmlwf -h" help output more friendly
850 #244 #264 Autotools: Add argument --enable-xml-attr-info
852 --with-getrandom
853 --without-getrandom
854 --with-sys-getrandom
855 --without-sys-getrandom
857 Autotools: Fix "make run-xmltest" for out-of-source builds
860 - BUILD_doc -> EXPAT_BUILD_DOCS (plural)
861 - BUILD_examples -> EXPAT_BUILD_EXAMPLES
862 - BUILD_shared -> EXPAT_SHARED_LIBS
863 - BUILD_tests -> EXPAT_BUILD_TESTS
864 - BUILD_tools -> EXPAT_BUILD_TOOLS
865 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
866 - INSTALL -> EXPAT_ENABLE_INSTALL
867 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
868 - USE_libbsd -> EXPAT_WITH_LIBBSD
869 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
870 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
871 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
872 - XML_DTD -> EXPAT_DTD
873 - XML_NS -> EXPAT_NS
874 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
875 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
876 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
878 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
880 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
883 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
884 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
891 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
894 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
895 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
900 #308 CMake: Integrate OSS-Fuzz fuzzers, option
901 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
909 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
925 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from
929 use for denial-of-service attacks
932 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop
933 exporting non-API symbols
934 #227 Autotools: Add --without-examples and --without-tests
936 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang
937 #247 #248 Autotools: Fix compilation for lack of docbook2x-man
961 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing
965 #165 #168 Autotools: Fix docbook-related configure syntax error
966 #166 Autotools: Avoid grep option `-q` for Solaris
968 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
972 #181 Autotools: Drop -rpath option passed to libtool
980 #176 CMake: Create the same pkg-config file as with GNU Autotools
1020 #106 xmlwf: Add argument -N adding notation declarations
1026 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
1030 Windows or MinGW for 2-byte wchar_t
1034 #6 Resolve superfluous internal malloc/realloc switch
1035 #153 #155 Improve docbook2x-man detection
1053 #115 Fix copying of partial characters for UTF-8 input
1056 #109 Fix "make check" for non-x86 architectures that default
1057 to unsigned type char (-128..127 rather than 0..255)
1058 #109 coverage.sh: Cover -funsigned-char
1059 Autotools: Introduce --without-xmlwf argument
1061 #43 CMake: Auto-detect high quality entropy extractors, add new
1063 #74 CMake: Add -fno-strict-aliasing only where supported
1065 #114 CMake: Compile man page if docbook2x-man is available, only
1067 (required for "make run-xmltest")
1081 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
1092 #81 Pre-10.7/Lion macOS: Support entropy from arc4random
1093 #86 Check that a UTF-16 encoding in an XML declaration has the
1099 Ensure that user-defined character encodings have converter
1101 Fix mis-leading description of argument -c in xmlwf.1
1125 Unintended use of LoadLibraryW with a non-wide string
1133 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
1152 #76 Address compile warning with -DNDEBUG (not recommended!)
1171 CVE-2017-9233 -- External entity infinite loop DoS
1172 Details: https://libexpat.github.io/doc/cve-2017-9233/
1174 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
1177 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
1185 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
1188 [MOX-005] #30 Use high quality entropy for hash initialization:
1190 (when configured with --with-libbsd), CloudABI
1193 In a way, that's still part of CVE-2016-5300.
1195 [MOX-005] For the low quality entropy extraction fallback code,
1198 [MOX-003] Prevent use of uninitialised variable; commit
1199 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
1202 [MOX-006] * NULL checks; commits
1207 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
1208 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
1209 to go further with fixing CVE-2012-0876.
1216 #28 xmlwf: Auto-disable use of memory-mapping (and parsing
1223 found by Google's OSS-Fuzz; commits
1229 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
1236 of Windows; 4-byte wchar_t is common on Linux
1237 (SF.net) #538 Start using -fno-strict-aliasing
1239 Allow MinGW cross-compilation
1245 Autotools: Add parameters --enable-xml-context [COUNT]
1246 and --disable-xml-context; default of context of 1024
1254 * Pre-X Mac OS (MPW Makefile)
1258 #13 Fix "make run-xmltest" order instability
1266 #1 Re-create http://libexpat.org/ project website
1286 #537 CVE-2016-0718 -- Fix crash on malformed input
1287 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
1288 CVE-2015-2716 introduced with Expat 2.1.1
1289 #499 CVE-2016-5300 -- Use more entropy for hash initialization
1290 than the original fix to CVE-2012-0876
1291 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand
1293 when addressing CVE-2012-0876 (issue #496)
1298 Fix detection of UTF-8 character boundaries
1305 Autotools: Fix "make run-xmltest"
1306 Autotools: Have "make run-xmltest" check for expected output
1308 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
1314 -fvisibility=hidden
1335 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
1340 Output of "xmlwf -h" was incomplete
1346 libtool now invoked with --verbose
1349 - Security fixes:
1350 #2958794: CVE-2012-1148 - Memory leak in poolGrow.
1351 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
1352 #3496608: CVE-2012-0876 - Hash DOS attack.
1353 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
1354 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
1355 - Bug Fixes:
1357 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
1361 #2517938: xmlwf should return non-zero exit status if not well-formed.
1367 #3287849: make check fails on mingw-w64.
1368 - Patches:
1369 #1749198: pkg-config support.
1373 - New Features / API changes:
1382 Added run-benchmark target to Makefile.in - relies on testdata module
1386 - Fixed bugs #1515266, #1515600: The character data handler's calling
1389 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
1391 - Minor cleanups of the test harness.
1392 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
1393 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
1394 - Fixes and improvements for Windows platform:
1396 - Build fixes for various platforms:
1397 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
1400 without relying on GNU-Make specific features.
1402 - Fixes to Makefile.in to have make check work correctly:
1404 - Added Open Watcom support: patch #1523242.
1407 - We no longer use the "check" library for C unit testing; we
1409 - Report XML_NS setting via XML_GetFeatureList().
1410 - Fixed headers for use from C++.
1411 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
1413 - Added XML_LARGE_SIZE switch to enable 64-bit integers for
1415 - Updated to use libtool 1.5.22 (the most recent).
1416 - Added support for AmigaOS.
1417 - Some mostly minor bug fixes. SF issues include: #1006708,
1421 - Major new feature: suspend/resume. Handlers can now request
1425 - Some mostly minor bug fixes, but compilation should no
1431 - Fixed enum XML_Status issue (reported on SourceForge many
1433 - Introduced an XMLCALL macro to control the calling
1438 - Improved ability to build without the configure-generated
1441 - Fixed a variety of bugs: see SF issues #458907, #609603,
1444 - Improved hash table lookups.
1445 - Added more regression tests and improved documentation.
1448 - Added XML_FreeContentModel().
1449 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
1450 - Fixed a variety of bugs: see SF issues #615606, #616863,
1452 - Enhanced the regression test suite.
1453 - Man page improvements: includes SF issue #632146.
1456 - Added XML_UseForeignDTD() for improved SAX2 support.
1457 - Added XML_GetFeatureList().
1458 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
1459 - Use an incomplete struct instead of a void* for the parser
1461 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
1462 - Finally fixed bug where default handler would report DTD
1465 - Removed unnecessary DllMain() function that caused static
1467 - Added VC++ projects for building static libraries.
1468 - Reduced line-length for all source code and headers to be
1470 - Reduced memory copying during parsing (SF patch #600964).
1471 - Fixed a variety of bugs: see SF issues #580793, #434664,
1476 - Added support for VMS, contributed by Craig Berry. See
1478 - Added Mac OS (classic) support, with a makefile for MPW,
1480 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
1482 - Fixed a variety of bugs: see SF issues #441449, #563184,
1484 - Made skippedEntityHandler conform to SAX2 (see source comment)
1485 - Re-implemented WFC: Entity Declared from XML 1.0 spec and
1488 - Re-implemented section 5.1 from XML 1.0 spec:
1492 - Added a project to the MSVC workspace to create a wchar_t
1494 - Changed the name of the Windows DLLs from expat.dll to
1496 - Added the XML_ParserReset() API function.
1497 - Fixed XML_SetReturnNSTriplet() to work for element names.
1498 - Made the XML_UNICODE builds usable (thanks, Karl!).
1499 - Allow xmlwf to read from standard input.
1500 - Install a man page for xmlwf on Unix systems.
1501 - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
1507 - More changes to make MSVC happy with the build; add a single
1509 - Added a Windows installer for Windows users; includes
1511 - Added compile-time constants that can be used to determine the
1513 - Removed a lot of GNU-specific dependencies to aide portability
1515 - Fix the UTF-8 BOM bug.
1516 - Cleaned up warning messages for several compilers.
1517 - Added the -Wall, -Wstrict-prototypes options for GCC.
1520 - Changes to get expat to build under Microsoft compiler
1521 - Removed all aborts and instead return an UNEXPECTED_STATE error.
1522 - Fixed a bug where a stray '%' in an entity value would cause an
1524 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
1526 - Changed default patterns in lib/Makefile.in to fit non-GNU makes
1529 - The reference had the wrong label for XML_SetStartNamespaceDecl.
1533 - XML_ParserCreate_MM
1536 - XML_SetReturnNSTriplet
1541 - Merged in features from perl-expat
1552 - Added reference material
1553 - Packaged into a distribution that builds a sharable library