1NOTE: We are looking for help with a few things: 2 https://github.com/libexpat/libexpat/labels/help%20wanted 3 If you can help, please get in touch. Thanks! 4 5Release 2.4.7 Fri March 4 2022 6 Bug fixes: 7 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 8 with regard to all valid URI characters (RFC 3986), 9 i.e. the following set (excluding whitespace): 10 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 11 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 12 13 Other changes: 14 #555 #570 #581 CMake|Windows: Store Expat version in the DLL 15 #577 Document consequences of namespace separator choices not just 16 in doc/reference.html but also in header <expat.h> 17 #577 Document Expat's lack of validation of namespace URIs against 18 RFC 3986, and that the XML 1.0r4 specification doesn't 19 require Expat to validate namespace URIs, and that Expat 20 may do more in that regard in future releases. 21 If you find need for strict RFC 3986 URI validation on 22 application level today, https://uriparser.github.io/ may 23 be of interest. 24 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 25 #575 Document that a call to XML_FreeContentModel can be done at 26 a later time from outside the element declaration handler 27 #574 Make hardcoded namespace URIs easier to find in code 28 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 29 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 30 4.8.2 on Solaris. 31 #578 #580 Version info bumped from 9:6:8 to 9:7:8; 32 see https://verbump.de/ for what these numbers do 33 34 Special thanks to: 35 Jeffrey Walton 36 Johnny Jazeix 37 Thijs Schreijer 38 39Release 2.4.6 Sun February 20 2022 40 Bug fixes: 41 #566 Fix a regression introduced by the fix for CVE-2022-25313 42 in release 2.4.5 that affects applications that (1) 43 call function XML_SetElementDeclHandler and (2) are 44 parsing XML that contains nested element declarations 45 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 46 47 Other changes: 48 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 49 see https://verbump.de/ for what these numbers do 50 51 Special thanks to: 52 Matt Sergeant 53 Samanta Navarro 54 Sergei Trofimovich 55 and 56 NixOS 57 Perl XML::Parser 58 59Release 2.4.5 Fri February 18 2022 60 Security fixes: 61 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 62 sequences (e.g. from start tag names) to the XML 63 processing application on top of Expat can cause 64 arbitrary damage (e.g. code execution) depending 65 on how invalid UTF-8 is handled inside the XML 66 processor; validation was not their job but Expat's. 67 Exploits with code execution are known to exist. 68 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 69 characters in "xmlns[:prefix]" attribute values 70 made Expat send malformed tag names to the XML 71 processor on top of Expat which can cause 72 arbitrary damage (e.g. code execution) depending 73 on such unexpectable cases are handled inside the XML 74 processor; validation was not their job but Expat's. 75 Exploits with code execution are known to exist. 76 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 77 that could be triggered by e.g. a 2 megabytes 78 file with a large number of opening braces. 79 Expected impact is denial of service or potentially 80 arbitrary code execution. 81 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 82 only affects the encoding name parameter at parser creation 83 time which is often hardcoded (rather than user input), 84 takes a value in the gigabytes to trigger, and a 64-bit 85 machine. Expected impact is denial of service. 86 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 87 needs input in the gigabytes and a 64-bit machine. 88 Expected impact is denial of service or potentially 89 arbitrary code execution. 90 91 Other changes: 92 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 93 see https://verbump.de/ for what these numbers do 94 95 Special thanks to: 96 Ivan Fratric 97 Samanta Navarro 98 and 99 Google Project Zero 100 JetBrains 101 102Release 2.4.4 Sun January 30 2022 103 Security fixes: 104 #550 CVE-2022-23852 -- Fix signed integer overflow 105 (undefined behavior) in function XML_GetBuffer 106 (that is also called by function XML_Parse internally) 107 for when XML_CONTEXT_BYTES is defined to >0 (which is both 108 common and default). 109 Impact is denial of service or more. 110 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 111 doProlog triggered by large content in element type 112 declarations when there is an element declaration handler 113 present (from a prior call to XML_SetElementDeclHandler). 114 Impact is denial of service or more. 115 116 Bug fixes: 117 #544 #545 xmlwf: Fix a memory leak on output file opening error 118 119 Other changes: 120 #546 Autotools: Fix broken CMake support under Cygwin 121 #554 Windows: Add missing files to the installer to fix 122 compilation with CMake from installed sources 123 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 124 see https://verbump.de/ for what these numbers do 125 126 Special thanks to: 127 Carlo Bramini 128 hwt0415 129 Roland Illig 130 Samanta Navarro 131 and 132 Clang LeakSan and the Clang team 133 134Release 2.4.3 Sun January 16 2022 135 Security fixes: 136 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 137 resulting in 138 a) realloc acting as free 139 b) realloc allocating too few bytes 140 c) undefined behavior 141 depending on architecture and precise value 142 for XML documents with >=2^27+1 prefixed attributes 143 on a single XML tag a la 144 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 145 where XML_ParserCreateNS is used to create the parser 146 (which needs argument "-n" when running xmlwf). 147 Impact is denial of service, or more. 148 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 149 on variable m_groupSize in function doProlog leading 150 to realloc acting as free. 151 Impact is denial of service or more. 152 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 153 near memory allocation at multiple places. Mitre assigned 154 a dedicated CVE for each involved internal C function: 155 - CVE-2022-22822 for function addBinding 156 - CVE-2022-22823 for function build_model 157 - CVE-2022-22824 for function defineAttribute 158 - CVE-2022-22825 for function lookup 159 - CVE-2022-22826 for function nextScaffoldPart 160 - CVE-2022-22827 for function storeAtts 161 Impact is denial of service or more. 162 163 Other changes: 164 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 165 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 166 and MSYS2 by not going through Wine on these platforms 167 #527 #528 Address compiler warnings 168 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 169 see https://verbump.de/ for what these numbers do 170 171 Infrastructure: 172 #536 CI: Check for realistic minimum CMake version 173 #529 #539 CI: Cover compilation with -m32 174 #529 CI: Store coverage reports as artifacts for download 175 #528 CI: Upgrade Clang from 11 to 13 176 177 Special thanks to: 178 An anonymous whitehat 179 Christopher Degawa 180 J. Peter Mugaas 181 Tyson Smith 182 and 183 GCC Farm Project 184 Trend Micro Zero Day Initiative 185 186Release 2.4.2 Sun December 19 2021 187 Other changes: 188 #509 #510 Link againgst libm for function "isnan" 189 #513 #514 Include expat_config.h as early as possible 190 #498 Autotools: Include files with release archives: 191 - buildconf.sh 192 - fuzz/*.c 193 #507 #519 Autotools: Sync CMake templates 194 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 195 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 196 - multi-config CMake generators (e.g. Ninja Multi-Config) 197 #502 #503 docs: Document that function XML_GetBuffer may return NULL 198 when asking for a buffer of 0 (zero) bytes size 199 #522 #523 docs: Fix return value docs for both 200 XML_SetBillionLaughsAttackProtection* functions 201 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 202 see https://verbump.de/ for what these numbers do 203 204 Special thanks to: 205 Dong-hee Na 206 Joergen Ibsen 207 Kai Pastor 208 209Release 2.4.1 Sun May 23 2021 210 Bug fixes: 211 #488 #490 Autotools: Fix installed header expat_config.h for multilib 212 systems; regression introduced in 2.4.0 by pull request #486 213 214 Other changes: 215 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 216 see https://verbump.de/ for what these numbers do 217 218 Special thanks to: 219 Gentoo's QA check "multilib_check_headers" 220 221Release 2.4.0 Sun May 23 2021 222 Security fixes: 223 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 224 (denial-of-service; flavors targeting CPU time or RAM or both, 225 leveraging general entities or parameter entities or both) 226 by tracking and limiting the input amplification factor 227 (<amplification> := (<direct> + <indirect>) / <direct>). 228 By conservative default, amplification up to a factor of 100.0 229 is tolerated and rejection only starts after 8 MiB of output bytes 230 (=<direct> + <indirect>) have been processed. 231 The fix adds the following to the API: 232 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 233 signals this specific condition. 234 - Two new API functions .. 235 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 236 - XML_SetBillionLaughsAttackProtectionActivationThreshold 237 .. to further tighten billion laughs protection parameters 238 when desired. Please see file "doc/reference.html" for details. 239 If you ever need to increase the defaults for non-attack XML 240 payload, please file a bug report with libexpat. 241 - Two new XML_FEATURE_* constants .. 242 - that can be queried using the XML_GetFeatureList function, and 243 - that are shown in "xmlwf -v" output. 244 - Two new environment variable switches .. 245 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 246 - EXPAT_ENTITY_DEBUG=(0|1) 247 .. for runtime debugging of accounting and entity processing. 248 Specific behavior of these values may change in the future. 249 - Two new command line arguments "-a FACTOR" and "-b BYTES" 250 for xmlwf to further tighten billion laughs protection 251 parameters when desired. 252 If you ever need to increase the defaults for non-attack XML 253 payload, please file a bug report with libexpat. 254 255 Bug fixes: 256 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 257 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 258 for UTF-16 payloads containing CDATA sections. 259 #485 #486 Autotools: Fix generated CMake files for non-64bit and 260 non-Linux platforms (e.g. macOS and MinGW in particular) 261 that were introduced with release 2.3.0 262 263 Other changes: 264 #468 #469 xmlwf: Improve help output and the xmlwf man page 265 #463 xmlwf: Improve maintainability through some refactoring 266 #477 xmlwf: Fix man page DocBook validity 267 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 268 and CMAKE_INSTALL_INCLUDEDIR 269 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 270 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 271 #467 Resolve macro HAVE_EXPAT_CONFIG_H 272 #472 Delete unused legacy helper file "conftools/PrintPath" 273 #473 #483 Improve attribution 274 #464 #465 #477 doc/reference.html: Fix XHTML validity 275 #475 #478 doc/reference.html: Replace the 90s look by OK.css 276 #479 Version info bumped from 8:0:7 to 9:0:8 277 due to addition of new symbols and error codes; 278 see https://verbump.de/ for what these numbers do 279 280 Infrastructure: 281 #456 CI: Enable periodic runs 282 #457 CI: Start covering the list of exported symbols 283 #474 CI: Isolate coverage task 284 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 285 #477 CI: Cover well-formedness and DocBook/XHTML validity 286 of doc/reference.html and doc/xmlwf.xml 287 288 Special thanks to: 289 Dimitry Andric 290 Eero Helenius 291 Nick Wellnhofer 292 Rhodri James 293 Tomas Korbar 294 Yury Gribov 295 and 296 Clang LeakSan 297 JetBrains 298 OSS-Fuzz 299 300Release 2.3.0 Thu March 25 2021 301 Bug fixes: 302 #438 When calling XML_ParseBuffer without a prior successful call to 303 XML_GetBuffer as a user, no longer trigger undefined behavior 304 (by adding an integer to a NULL pointer) but rather return 305 XML_STATUS_ERROR and set the error code to (new) code 306 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 307 of Clang 11 (but not Clang 9). 308 #444 xmlwf: Exit status 2 was used for both: 309 - malformed input files (documented) and 310 - invalid command-line arguments (undocumented). 311 The case of invalid command-line arguments now 312 has its own exit status 4, resolving the ambiguity. 313 314 Other changes: 315 #439 xmlwf: Add argument -k to allow continuing after 316 non-fatal errors 317 #439 xmlwf: Add section about exit status to the -h help output 318 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 319 #434 Windows: CMake: Detect unsupported Visual Studio at 320 configure time (rather than at compile time) 321 #382 #428 testrunner: Make verbose mode (argument "-v") report 322 about passed tests, and make default mode report about 323 failures, as well. 324 #442 CMake: Call "enable_language(CXX)" prior to tinkering 325 with CMAKE_CXX_* variables 326 #448 Document use of libexpat from a CMake-based project 327 #451 Autotools: Install CMake files as generated by CMake 3.19.6 328 so that users with "find_package(expat [..] CONFIG [..])" 329 are served on distributions that are *not* using the CMake 330 build system inside for libexpat packaging 331 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 332 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 333 #441 Address compiler warnings 334 #443 Version info bumped from 7:12:6 to 8:0:7 335 due to addition of error code XML_ERROR_NO_BUFFER 336 (see https://verbump.de/ for what these numbers do) 337 338 Infrastructure: 339 #435 #446 Replace Travis CI by GitHub Actions 340 341 Special thanks to: 342 Alexander Richardson 343 Oleksandr Popovych 344 Thomas Beutlich 345 Tim Bray 346 and 347 Clang LeakSan, Clang 11 UBSan and the Clang team 348 349Release 2.2.10 Sat October 3 2020 350 Bug fixes: 351 #390 #395 #398 Fix undefined behavior during parsing caused by 352 pointer arithmetic with NULL pointers 353 #404 #405 Fix reading uninitialized variable during parsing 354 #406 xmlwf: Add missing check for malloc NULL return 355 356 Other changes: 357 #396 Windows: Drop support for Visual Studio <=8.0/2005 358 #409 Windows: Add missing file "Changes" to the installer 359 to fix compilation with CMake from installed sources 360 #403 xmlwf: Document exit codes in xmlwf manpage and 361 exit with code 3 (rather than code 1) for output errors 362 when used with "-d DIRECTORY" 363 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 364 #383 #392 Autotools: Use -Werror while configure tests the compiler 365 for supported compile flags to avoid false positives 366 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 367 e.g. ensure that they have the last word over flags added 368 while running ./configure 369 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 370 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 371 #360 CMake: Detect and deny unsupported build combinations 372 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 373 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 374 of -DEXPAT_BUILD_DOCS=OFF 375 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 376 #407 #408 CMake: Keep expat target name constant at "expat" 377 (i.e. refrain from using the target name to control 378 build artifact filenames) 379 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 380 Windows 381 CMake: Expose man page compilation as target "xmlwf-manpage" 382 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 383 to control generation of pkg-config file "expat.pc" 384 #424 CMake: Add minimalistic support for building binary packages 385 with CMake target "package"; based on CPack 386 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 387 default OFF to build fuzzer code against OSS-Fuzz and 388 related environment variable LIB_FUZZING_ENGINE 389 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 390 #354 #355 .. 391 #356 #412 Address compiler warnings 392 #368 #369 Address pngcheck warnings with doc/*.png images 393 #425 Version info bumped from 7:11:6 to 7:12:6 394 395 Special thanks to: 396 asavah 397 Ben Wagner 398 Bhargava Shastry 399 Frank Landgraf 400 Jeffrey Walton 401 Joe Orton 402 Kleber Tarcísio 403 Ma Lin 404 Maciej Sroczyński 405 Mohammed Khajapasha 406 Vadim Zeitlin 407 and 408 Cppcheck 2.0 and the Cppcheck team 409 410Release 2.2.9 Wed September 25 2019 411 Other changes: 412 examples: Drop executable bits from elements.c 413 #349 Windows: Change the name of the Windows DLLs from expat*.dll 414 to libexpat*.dll once more (regression from 2.2.8, first 415 fixed in 1.95.3, issue #61 on SourceForge today, 416 was issue #432456 back then); needs a fix due 417 case-insensitive file systems on Windows and the fact that 418 Perl's XML::Parser::Expat compiles into Expat.dll. 419 #347 Windows: Only define _CRT_RAND_S if not defined 420 Version info bumped from 7:10:6 to 7:11:6 421 422 Special thanks to: 423 Ben Wagner 424 425Release 2.2.8 Fri September 13 2019 426 Security fixes: 427 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 428 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 429 and deny internal entities closing the doctype; 430 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 431 432 Bug fixes: 433 #240 Fix cases where XML_StopParser did not have any effect 434 when called from inside of an end element handler 435 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 436 previously, only "-d DIRECTORY" would give you a proper 437 exit code: 438 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 439 2 440 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 441 0 442 Now both cases return exit code 2. 443 444 Other changes: 445 #299 #302 Windows: Replace LoadLibrary hack to access 446 unofficial API function SystemFunction036 (RtlGenRandom) 447 by using official API function rand_s (needs WinXP+) 448 #325 Windows: Drop support for Visual Studio <=7.1/2003 449 and document supported compilers in README.md 450 #286 Windows: Remove COM code from xmlwf; in case it turns 451 out needed later, there will be a dedicated repository 452 below https://github.com/libexpat/ for that code 453 #322 Windows: Remove explicit MSVC solution and project files. 454 You can generate Visual Studio solution files through 455 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 456 #338 xmlwf: Make "xmlwf -h" help output more friendly 457 #339 examples: Improve elements.c 458 #244 #264 Autotools: Add argument --enable-xml-attr-info 459 #239 #301 Autotools: Add arguments 460 --with-getrandom 461 --without-getrandom 462 --with-sys-getrandom 463 --without-sys-getrandom 464 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 465 Autotools: Fix "make run-xmltest" for out-of-source builds 466 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 467 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 468 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 469 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 470 - BUILD_shared -> EXPAT_SHARED_LIBS 471 - BUILD_tests -> EXPAT_BUILD_TESTS 472 - BUILD_tools -> EXPAT_BUILD_TOOLS 473 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 474 - INSTALL -> EXPAT_ENABLE_INSTALL 475 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 476 - USE_libbsd -> EXPAT_WITH_LIBBSD 477 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 478 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 479 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 480 - XML_DTD -> EXPAT_DTD 481 - XML_NS -> EXPAT_NS 482 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 483 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 484 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 485 default OFF 486 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 487 default OFF 488 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 489 default OFF 490 #239 #277 CMake: Add arguments 491 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 492 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 493 #326 CMake: Install expat_config.h to include directory 494 #326 CMake: Generate and install configuration files for 495 future find_package(expat [..] CONFIG [..]) 496 CMake: Now produces a summary of applied configuration 497 CMake: Require C++ compiler only when tests are enabled 498 #330 CMake: Fix compilation for 16bit character types, 499 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 500 #265 CMake: Fix linking with MinGW 501 #330 CMake: Add full support for MinGW; to enable, use 502 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 503 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 504 #316 CMake: Windows: Make binary postfix match MSVC 505 Old: expat[d].lib 506 New: expat[w][d][MD|MT].lib 507 CMake: Migrate files from Windows to Unix line endings 508 #308 CMake: Integrate OSS-Fuzz fuzzers, option 509 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 510 #14 Drop an OpenVMS support leftover 511 #235 #268 .. 512 #270 #310 .. 513 #313 #331 #333 Address compiler warnings 514 #282 #283 .. 515 #284 #285 Address cppcheck warnings 516 #294 #295 Address Clang Static Analyzer warnings 517 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 518 Version info bumped from 7:9:6 to 7:10:6 519 520 Special thanks to: 521 David Loffredo 522 Joonun Jang 523 Kishore Kunche 524 Marco Maggi 525 Mitch Phillips 526 Mohammed Khajapasha 527 Rolf Ade 528 xantares 529 Zhongyuan Zhou 530 531Release 2.2.7 Wed June 19 2019 532 Security fixes: 533 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 534 XML names; XML names with multiple colons could end up in 535 the wrong namespace, and take a high amount of RAM and CPU 536 resources while processing, opening the door to 537 use for denial-of-service attacks 538 539 Other changes: 540 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 541 exporting non-API symbols 542 #227 Autotools: Add --without-examples and --without-tests 543 #228 Autotools: Modernize configure.ac 544 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 545 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 546 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 547 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 548 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 549 #219 Remove fallback to bcopy, assume that memmove(3) exists 550 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 551 #243 Windows: Fix syntax of .def module definition files 552 Version info bumped from 7:8:6 to 7:9:6 553 554 Special thanks to: 555 Benjamin Peterson 556 Caolán McNamara 557 Hanno Böck 558 KangLin 559 Kishore Kunche 560 Marco Maggi 561 Rhodri James 562 Sebastian Dröge 563 userwithuid 564 Yury Gribov 565 566Release 2.2.6 Sun August 12 2018 567 Bug fixes: 568 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 569 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 570 a document like '<root/>' 571 572 Other changes: 573 #165 #168 Autotools: Fix docbook-related configure syntax error 574 #166 Autotools: Avoid grep option `-q` for Solaris 575 #167 Autotools: Support 576 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 577 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 578 xmlwf.1 rather than XMLWF.1; also covers case insensitive 579 file systems 580 #181 Autotools: Drop -rpath option passed to libtool 581 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 582 #188 Autotools/CMake: Support command db2x_docbook2man as well 583 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 584 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 585 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 586 both defaulting to OFF 587 #175 CMake: Prefer check_symbol_exists over check_function_exists 588 #176 CMake: Create the same pkg-config file as with GNU Autotools 589 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 590 install directories 591 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 592 #180 Windows: Fix compilation of test suite for Visual Studio 2008 593 #131 #173 #202 Address compiler warnings 594 #187 #190 #200 Fix miscellaneous typos 595 Version info bumped from 7:7:6 to 7:8:6 596 597 Special thanks to: 598 Anton Maklakov 599 Benjamin Peterson 600 Brad King 601 Franek Korta 602 Frank Rast 603 Joe Orton 604 luzpaz 605 Pedro Vicente 606 Rainer Jung 607 Rhodri James 608 Rolf Ade 609 Rolf Eike Beer 610 Thomas Beutlich 611 Tomasz Kłoczko 612 613Release 2.2.5 Tue October 31 2017 614 Bug fixes: 615 #8 If the parser runs out of memory, make sure its internal 616 state reflects the memory it actually has, not the memory 617 it wanted to have. 618 #11 The default handler wasn't being called when it should for 619 a SYSTEM or PUBLIC doctype if an entity declaration handler 620 was registered. 621 #137 #138 Fix a case of mistakenly reported parsing success where 622 XML_StopParser was called from an element handler 623 #162 Function XML_ErrorString was returning NULL rather than 624 a message for code XML_ERROR_INVALID_ARGUMENT 625 introduced with release 2.2.1 626 627 Other changes: 628 #106 xmlwf: Add argument -N adding notation declarations 629 #75 #106 Test suite: Resolve expected failure cases where xmlwf 630 output was incomplete 631 #127 Windows: Fix test suite compilation 632 #126 #127 Windows: Fix compilation for Visual Studio 2012 633 Windows: Upgrade shipped project files to Visual Studio 2017 634 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 635 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 636 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 637 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 638 Windows or MinGW for 2-byte wchar_t 639 #9 Address two Clang Static Analyzer false positives 640 #59 Resolve troublesome macros hiding parser struct membership 641 and dereferencing that pointer 642 #6 Resolve superfluous internal malloc/realloc switch 643 #153 #155 Improve docbook2x-man detection 644 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 645 #161 Address compiler warnings 646 Version info bumped from 7:6:6 to 7:7:6 647 648 Special thanks to: 649 Benbuck Nason 650 Hans Wennborg 651 José Gutiérrez de la Concha 652 Pedro Monreal Gonzalez 653 Rhodri James 654 Rolf Ade 655 Stephen Groat 656 and 657 Core Infrastructure Initiative 658 659Release 2.2.4 Sat August 19 2017 660 Bug fixes: 661 #115 Fix copying of partial characters for UTF-8 input 662 663 Other changes: 664 #109 Fix "make check" for non-x86 architectures that default 665 to unsigned type char (-128..127 rather than 0..255) 666 #109 coverage.sh: Cover -funsigned-char 667 Autotools: Introduce --without-xmlwf argument 668 #65 Autotools: Replace handwritten Makefile with GNU Automake 669 #43 CMake: Auto-detect high quality entropy extractors, add new 670 option USE_libbsd=ON to use arc4random_buf of libbsd 671 #74 CMake: Add -fno-strict-aliasing only where supported 672 #114 CMake: Always honor manually set BUILD_* options 673 #114 CMake: Compile man page if docbook2x-man is available, only 674 #117 Include file tests/xmltest.log.expected in source tarball 675 (required for "make run-xmltest") 676 #117 Include (existing) Visual Studio 2013 files in source tarball 677 Improve test suite error output 678 #111 Fix some typos in documentation 679 Version info bumped from 7:5:6 to 7:6:6 680 681 Special thanks to: 682 Jakub Wilk 683 Joe Orton 684 Lin Tian 685 Rolf Eike Beer 686 687Release 2.2.3 Wed August 2 2017 688 Security fixes: 689 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 690 using Steve Holme's LoadLibrary wrapper for/of cURL 691 692 Bug fixes: 693 #85 Fix a dangling pointer issue related to realloc 694 695 Other changes: 696 Increase code coverage 697 #91 Linux: Allow getrandom to fail if nonblocking pool has not 698 yet been initialized and read /dev/urandom then, instead. 699 This is in line with what recent Python does. 700 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 701 #86 Check that a UTF-16 encoding in an XML declaration has the 702 right endianness 703 #4 #5 #7 Recover correctly when some reallocations fail 704 Repair "./configure && make" for systems without any 705 provider of high quality entropy 706 and try reading /dev/urandom on those 707 Ensure that user-defined character encodings have converter 708 functions when they are needed 709 Fix mis-leading description of argument -c in xmlwf.1 710 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 711 for CloudABI 712 #100 Fix use of SIPHASH_MAIN in siphash.h 713 #23 Test suite: Fix memory leaks 714 Version info bumped from 7:4:6 to 7:5:6 715 716 Special thanks to: 717 Chanho Park 718 Joe Orton 719 Pascal Cuoq 720 Rhodri James 721 Simon McVittie 722 Vadim Zeitlin 723 Viktor Szakats 724 and 725 Core Infrastructure Initiative 726 727Release 2.2.2 Wed July 12 2017 728 Security fixes: 729 #43 Protect against compilation without any source of high 730 quality entropy enabled, e.g. with CMake build system; 731 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 732 #60 Windows with _UNICODE: 733 Unintended use of LoadLibraryW with a non-wide string 734 resulted in failure to load advapi32.dll and degradation 735 in quality of used entropy when compiled with _UNICODE for 736 Windows; you can launch existing binaries with 737 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 738 quality of entropy used during runtime; commits 739 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 740 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 741 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 742 resulted in NULL dereference, previously; 743 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 744 745 Bug fixes: 746 #69 Fix improper use of unsigned long long integer literals 747 748 Other changes: 749 #73 Start requiring a C99 compiler 750 #49 Fix "==" Bashism in configure script 751 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 752 #52 and macOS 753 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 754 #58 Address compile warnings 755 #68 Fix "./buildconf.sh && ./configure" for some versions 756 of Dash for /bin/sh 757 #72 CMake: Ease use of Expat in context of a parent project 758 with multiple CMakeLists.txt files 759 #72 CMake: Resolve mistaken executable permissions 760 #76 Address compile warning with -DNDEBUG (not recommended!) 761 #77 Address compile warning about macro redefinition 762 763 Special thanks to: 764 Alexander Bluhm 765 Ben Boeckel 766 Cătălin Răceanu 767 Kerin Millar 768 László Böszörményi 769 S. P. Zeidler 770 Segev Finer 771 Václav Slavík 772 Victor Stinner 773 Viktor Szakats 774 and 775 Radically Open Security 776 777Release 2.2.1 Sat June 17 2017 778 Security fixes: 779 CVE-2017-9233 -- External entity infinite loop DoS 780 Details: https://libexpat.github.io/doc/cve-2017-9233/ 781 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 782 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 783 d4f735b88d9932bd5039df2335eefdd0723dbe20 784 (Fixed version of existing downstream patches!) 785 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 786 longer tag names; commits 787 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 788 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 789 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 790 #25 More integer overflow detection (function poolGrow); commits 791 * 810b74e4703dcfdd8f404e3cb177d44684775143 792 * 44178553f3539ce69d34abee77a05e879a7982ac 793 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 794 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 795 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 796 [MOX-005] #30 Use high quality entropy for hash initialization: 797 * arc4random_buf on BSD, systems with libbsd 798 (when configured with --with-libbsd), CloudABI 799 * RtlGenRandom on Windows XP / Server 2003 and later 800 * getrandom on Linux 3.17+ 801 In a way, that's still part of CVE-2016-5300. 802 https://github.com/libexpat/libexpat/pull/30/commits 803 [MOX-005] For the low quality entropy extraction fallback code, 804 the parser instance address can no longer leak, commit 805 04ad658bd3079dd15cb60fc67087900f0ff4b083 806 [MOX-003] Prevent use of uninitialised variable; commit 807 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 808 Add missing parameter validation to public API functions 809 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 810 [MOX-006] * NULL checks; commits 811 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 812 * 9ed727064b675b7180c98cb3d4f75efba6966681 813 * 6a747c837c50114dfa413994e07c0ba477be4534 814 * Negative length (XML_Parse); commit 815 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 816 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 817 to go further with fixing CVE-2012-0876. 818 https://github.com/libexpat/libexpat/pull/39/commits 819 820 Bug fixes: 821 #32 Fix sharing of hash salt across parsers; 822 relevant where XML_ExternalEntityParserCreate is called 823 prior to XML_Parse, in particular (e.g. FBReader) 824 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 825 as a single chunk) for files larger than ~1 GB (2^30 bytes) 826 rather than failing with error "out of memory" 827 #3 Fix double free after malloc failure in DTD code; commit 828 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 829 #17 Fix memory leak on parser error for unbound XML attribute 830 prefix with new namespaces defined in the same tag; 831 found by Google's OSS-Fuzz; commits 832 * 16f87daae5a16132e479e4f71862128c7a915c73 833 * b47dbc9745932c160893d433220e462bd605f8cd 834 xmlwf on Windows: Add missing calls to CloseHandle 835 836 New features: 837 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 838 for runtime debugging of entropy extraction 839 840 Other changes: 841 Increase code coverage 842 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 843 XML_UNICODE_WCHAR_T was never meant to be used outside 844 of Windows; 4-byte wchar_t is common on Linux 845 (SF.net) #538 Start using -fno-strict-aliasing 846 (SF.net) #540 Support compilation against cloudlibc of CloudABI 847 Allow MinGW cross-compilation 848 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 849 to bypass compilation of the xmlwf.1 man page 850 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 851 to bypass installation of expat files 852 CMake: Fix ninja support 853 Autotools: Add parameters --enable-xml-context [COUNT] 854 and --disable-xml-context; default of context of 1024 855 bytes enabled unchanged 856 #14 Drop AmigaOS 4.x code and includes 857 #14 Drop ancient build systems: 858 * Borland C++ Builder 859 * OpenVMS 860 * Open Watcom 861 * Visual Studio 6.0 862 * Pre-X Mac OS (MPW Makefile) 863 If you happen to rely on some of these, please get in 864 touch for joining with maintenance. 865 #10 Move from WIN32 to _WIN32 866 #13 Fix "make run-xmltest" order instability 867 Address compile warnings 868 Bump version info from 7:2:6 to 7:3:6 869 Add AUTHORS file 870 871 Infrastructure: 872 #1 Migrate from SourceForge to GitHub (except downloads): 873 https://github.com/libexpat/ 874 #1 Re-create http://libexpat.org/ project website 875 Start utilizing Travis CI 876 877 Special thanks to: 878 Andy Wang 879 Don Lewis 880 Ed Schouten 881 Karl Waclawek 882 Pascal Cuoq 883 Rhodri James 884 Sergei Nikulov 885 Tobias Taschner 886 Viktor Szakats 887 and 888 Core Infrastructure Initiative 889 Mozilla Foundation (MOSS Track 3: Secure Open Source) 890 Radically Open Security 891 892Release 2.2.0 Tue June 21 2016 893 Security fixes: 894 #537 CVE-2016-0718 -- Fix crash on malformed input 895 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 896 CVE-2015-2716 introduced with Expat 2.1.1 897 #499 CVE-2016-5300 -- Use more entropy for hash initialization 898 than the original fix to CVE-2012-0876 899 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 900 that was introduced with Expat 2.1.0 901 when addressing CVE-2012-0876 (issue #496) 902 903 Bug fixes: 904 Fix uninitialized reads of size 1 905 (e.g. in little2_updatePosition) 906 Fix detection of UTF-8 character boundaries 907 908 Other changes: 909 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 910 Autotools: Resolve use of "$<" to better support bmake 911 Autotools: Add QA script "qa.sh" (and make target "qa") 912 Autotools: Respect CXXFLAGS if given 913 Autotools: Fix "make run-xmltest" 914 Autotools: Have "make run-xmltest" check for expected output 915 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 916 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 917 #323 CMake: Add suffix "d" to differentiate debug from release 918 CMake: Define WIN32 with CMake on Windows 919 Annotate memory allocators for GCC 920 Address all currently known compile warnings 921 Make sure that API symbols remain visible despite 922 -fvisibility=hidden 923 Remove executable flag from source files 924 Resolve COMPILED_FROM_DSP in favor of WIN32 925 926 Special thanks to: 927 Björn Lindahl 928 Christian Heimes 929 Cristian Rodríguez 930 Daniel Krügler 931 Gustavo Grieco 932 Karl Waclawek 933 László Böszörményi 934 Marco Grassi 935 Pascal Cuoq 936 Sergei Nikulov 937 Thomas Beutlich 938 Warren Young 939 Yann Droneaud 940 941Release 2.1.1 Sat March 12 2016 942 Security fixes: 943 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 944 945 Bug fixes: 946 #502: Fix potential null pointer dereference 947 #520: Symbol XML_SetHashSalt was not exported 948 Output of "xmlwf -h" was incomplete 949 950 Other changes: 951 #503: Document behavior of calling XML_SetHashSalt with salt 0 952 Minor improvements to man page xmlwf(1) 953 Improvements to the experimental CMake build system 954 libtool now invoked with --verbose 955 956Release 2.1.0 Sat March 24 2012 957 - Security fixes: 958 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 959 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 960 #3496608: CVE-2012-0876 - Hash DOS attack. 961 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 962 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 963 - Bug Fixes: 964 #1742315: Harmful XML_ParserCreateNS suggestion. 965 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 966 #1983953, 2517952, 2517962, 2649838: 967 Build modifications using autoreconf instead of buildconf.sh. 968 #2815947, #2884086: OBJEXT and EXEEXT support while building. 969 #2517938: xmlwf should return non-zero exit status if not well-formed. 970 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 971 #2855609: Dangling positionPtr after error. 972 #2990652: CMake support. 973 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 974 #3206497: Uninitialized memory returned from XML_Parse. 975 #3287849: make check fails on mingw-w64. 976 - Patches: 977 #1749198: pkg-config support. 978 #3010222: Fix for bug #3010819. 979 #3312568: CMake support. 980 #3446384: Report byte offsets for attr names and values. 981 - New Features / API changes: 982 Added new API member XML_SetHashSalt() that allows setting an initial 983 value (salt) for hash calculations. This is part of the fix for 984 bug #3496608 to randomize hash parameters. 985 When compiled with XML_ATTR_INFO defined, adds new API member 986 XML_GetAttributeInfo() that allows retrieving the byte 987 offsets for attribute names and values (patch #3446384). 988 Added CMake build system. 989 See bug #2990652 and patch #3312568. 990 Added run-benchmark target to Makefile.in - relies on testdata module 991 present in the same relative location as in the repository. 992 993Release 2.0.1 Tue June 5 2007 994 - Fixed bugs #1515266, #1515600: The character data handler's calling 995 of XML_StopParser() was not handled properly; if the parser was 996 stopped and the handler set to NULL, the parser would segfault. 997 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 998 some character constants to be ASCII encoded. 999 - Minor cleanups of the test harness. 1000 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1001 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1002 - Fixes and improvements for Windows platform: 1003 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1004 - Build fixes for various platforms: 1005 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1006 All Unix: #1554618 (refreshed config.sub/config.guess). 1007 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1008 without relying on GNU-Make specific features. 1009 #1647805: Patched configure.in to work better with Intel compiler. 1010 - Fixes to Makefile.in to have make check work correctly: 1011 bugs #1408143, #1535603, #1536684. 1012 - Added Open Watcom support: patch #1523242. 1013 1014Release 2.0.0 Wed Jan 11 2006 1015 - We no longer use the "check" library for C unit testing; we 1016 always use the (partial) internal implementation of the API. 1017 - Report XML_NS setting via XML_GetFeatureList(). 1018 - Fixed headers for use from C++. 1019 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1020 now return unsigned integers. 1021 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1022 byte indexes and line/column numbers. 1023 - Updated to use libtool 1.5.22 (the most recent). 1024 - Added support for AmigaOS. 1025 - Some mostly minor bug fixes. SF issues include: #1006708, 1026 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1027 1028Release 1.95.8 Fri Jul 23 2004 1029 - Major new feature: suspend/resume. Handlers can now request 1030 that a parse be suspended for later resumption or aborted 1031 altogether. See "Temporarily Stopping Parsing" in the 1032 documentation for more details. 1033 - Some mostly minor bug fixes, but compilation should no 1034 longer generate warnings on most platforms. SF issues 1035 include: #827319, #840173, #846309, #888329, #896188, #923913, 1036 #928113, #961698, #985192. 1037 1038Release 1.95.7 Mon Oct 20 2003 1039 - Fixed enum XML_Status issue (reported on SourceForge many 1040 times), so compilers that are properly picky will be happy. 1041 - Introduced an XMLCALL macro to control the calling 1042 convention used by the Expat API; this macro should be used 1043 to annotate prototypes and definitions of callback 1044 implementations in code compiled with a calling convention 1045 other than the default convention for the host platform. 1046 - Improved ability to build without the configure-generated 1047 expat_config.h header. This is useful for applications 1048 which embed Expat rather than linking in the library. 1049 - Fixed a variety of bugs: see SF issues #458907, #609603, 1050 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1051 #820946. 1052 - Improved hash table lookups. 1053 - Added more regression tests and improved documentation. 1054 1055Release 1.95.6 Tue Jan 28 2003 1056 - Added XML_FreeContentModel(). 1057 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1058 - Fixed a variety of bugs: see SF issues #615606, #616863, 1059 #618199, #653180, #673791. 1060 - Enhanced the regression test suite. 1061 - Man page improvements: includes SF issue #632146. 1062 1063Release 1.95.5 Fri Sep 6 2002 1064 - Added XML_UseForeignDTD() for improved SAX2 support. 1065 - Added XML_GetFeatureList(). 1066 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1067 - Use an incomplete struct instead of a void* for the parser 1068 (may not retain). 1069 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1070 - Finally fixed bug where default handler would report DTD 1071 events that were already handled by another handler. 1072 Initial patch contributed by Darryl Miles. 1073 - Removed unnecessary DllMain() function that caused static 1074 linking into a DLL to be difficult. 1075 - Added VC++ projects for building static libraries. 1076 - Reduced line-length for all source code and headers to be 1077 no longer than 80 characters, to help with AS/400 support. 1078 - Reduced memory copying during parsing (SF patch #600964). 1079 - Fixed a variety of bugs: see SF issues #580793, #434664, 1080 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1081 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1082 1083Release 1.95.4 Fri Jul 12 2002 1084 - Added support for VMS, contributed by Craig Berry. See 1085 vms/README.vms for more information. 1086 - Added Mac OS (classic) support, with a makefile for MPW, 1087 contributed by Thomas Wegner and Daryle Walker. 1088 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1089 by Patrick McConnell (SF patch #538032). 1090 - Fixed a variety of bugs: see SF issues #441449, #563184, 1091 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1092 - Made skippedEntityHandler conform to SAX2 (see source comment) 1093 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1094 added a new error "entity declared in parameter entity": 1095 see SF bug report #569461 and SF patch #578161 1096 - Re-implemented section 5.1 from XML 1.0 spec: 1097 see SF bug report #570263 and SF patch #578161 1098 1099Release 1.95.3 Mon Jun 3 2002 1100 - Added a project to the MSVC workspace to create a wchar_t 1101 version of the library; the DLLs are named libexpatw.dll. 1102 - Changed the name of the Windows DLLs from expat.dll to 1103 libexpat.dll; this fixes SF bug #432456. 1104 - Added the XML_ParserReset() API function. 1105 - Fixed XML_SetReturnNSTriplet() to work for element names. 1106 - Made the XML_UNICODE builds usable (thanks, Karl!). 1107 - Allow xmlwf to read from standard input. 1108 - Install a man page for xmlwf on Unix systems. 1109 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1110 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1111 #547350. Other bugs which we can't test as easily may also 1112 have been fixed, especially in the area of build support. 1113 1114Release 1.95.2 Fri Jul 27 2001 1115 - More changes to make MSVC happy with the build; add a single 1116 workspace to support both the library and xmlwf application. 1117 - Added a Windows installer for Windows users; includes 1118 xmlwf.exe. 1119 - Added compile-time constants that can be used to determine the 1120 Expat version 1121 - Removed a lot of GNU-specific dependencies to aide portability 1122 among the various Unix flavors. 1123 - Fix the UTF-8 BOM bug. 1124 - Cleaned up warning messages for several compilers. 1125 - Added the -Wall, -Wstrict-prototypes options for GCC. 1126 1127Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1128 - Changes to get expat to build under Microsoft compiler 1129 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1130 - Fixed a bug where a stray '%' in an entity value would cause an 1131 abort. 1132 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1133 finding this oversight. 1134 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1135 Thanks to robin@unrated.net for reporting and providing an 1136 account to test on. 1137 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1138 Reported by an anonymous user. 1139 1140Release 1.95.0 Fri Sep 29 2000 1141 - XML_ParserCreate_MM 1142 Allows you to set a memory management suite to replace the 1143 standard malloc,realloc, and free. 1144 - XML_SetReturnNSTriplet 1145 If you turn this feature on when namespace processing is in 1146 effect, then qualified, prefixed element and attribute names 1147 are returned as "uri|name|prefix" where '|' is whatever 1148 separator character is used in namespace processing. 1149 - Merged in features from perl-expat 1150 o XML_SetElementDeclHandler 1151 o XML_SetAttlistDeclHandler 1152 o XML_SetXmlDeclHandler 1153 o XML_SetEntityDeclHandler 1154 o StartDoctypeDeclHandler takes 3 additional parameters: 1155 sysid, pubid, has_internal_subset 1156 o Many paired handler setters (like XML_SetElementHandler) 1157 now have corresponding individual handler setters 1158 o XML_GetInputContext for getting the input context of 1159 the current parse position. 1160 - Added reference material 1161 - Packaged into a distribution that builds a sharable library 1162