1 __ __ _ 2 ___\ \/ /_ __ __ _| |_ 3 / _ \\ /| '_ \ / _` | __| 4 | __// \| |_) | (_| | |_ 5 \___/_/\_\ .__/ \__,_|\__| 6 |_| XML parser 7 8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 9!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !! 10!! ~~~~~~~~~~~~ !! 11!! The following topics need *additional skilled C developers* to progress !! 12!! in a timely manner or at all (loosely ordered by descending priority): !! 13!! !! 14!! - <blink>fixing a complex non-public security issue</blink>, !! 15!! - teaming up on researching and fixing future security reports and !! 16!! ClusterFuzz findings with few-days-max response times in communication !! 17!! in order to (1) have a sound fix ready before the end of a 90 days !! 18!! grace period and (2) in a sustainable manner, !! 19!! - implementing and auto-testing XML 1.0r5 support !! 20!! (needs discussion before pull requests), !! 21!! - smart ideas on fixing the Autotools CMake files generation issue !! 22!! without breaking CI (needs discussion before pull requests), !! 23!! - the Windows binaries topic (needs requirements engineering first), !! 24!! - pushing migration from `int` to `size_t` further !! 25!! including edge-cases test coverage (needs discussion before anything). !! 26!! !! 27!! For details, please reach out via e-mail to sebastian@pipping.org so we !! 28!! can schedule a voice call on the topic, in English or German. !! 29!! !! 30!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! 31!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 32 33Release 2.6.4 Wed November 6 2024 34 Security fixes: 35 #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser 36 from a NULL pointer dereference by disallowing function 37 XML_StopParser to (stop or) suspend an unstarted parser. 38 A new error code XML_ERROR_NOT_STARTED was introduced to 39 properly communicate this situation. // CWE-476 CWE-754 40 41 Other changes: 42 #903 CMake: Add alias target "expat::expat" 43 #905 docs: Document use via CMake >=3.18 with FetchContent 44 and SOURCE_SUBDIR and its consequences 45 #902 tests: Reduce use of global parser instance 46 #904 tests: Resolve duplicate handler 47 #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) 48 #914 Fix signedness of format strings 49 #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) 50 to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ 51 for what these numbers do 52 53 Infrastructure: 54 #907 CI: Upgrade Clang from 18 to 19 55 #913 CI: Drop macos-12 and add macos-15 56 #910 CI: Adapt to breaking changes in GitHub Actions 57 #898 Add missing entries to .gitignore 58 59 Special thanks to: 60 Hanno Böck 61 José Eduardo Gutiérrez Conejo 62 José Ricardo Cardona Quesada 63 64Release 2.6.3 Wed September 4 2024 65 Security fixes: 66 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with 67 len < 0 without noticing and then calling XML_GetBuffer 68 will have XML_ParseBuffer fail to recognize the problem 69 and XML_GetBuffer corrupt memory. 70 With the fix, XML_ParseBuffer now complains with error 71 XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse 72 has been doing since Expat 2.2.1, and now documented. 73 Impact is denial of service to potentially artitrary code 74 execution. 75 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an 76 integer overflow for nDefaultAtts on 32-bit platforms 77 (where UINT_MAX equals SIZE_MAX). 78 Impact is denial of service to potentially artitrary code 79 execution. 80 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can 81 have an integer overflow for m_groupSize on 32-bit 82 platforms (where UINT_MAX equals SIZE_MAX). 83 Impact is denial of service to potentially artitrary code 84 execution. 85 86 Other changes: 87 #851 #879 Autotools: Sync CMake templates with CMake 3.28 88 #853 Autotools: Always provide path to find(1) for portability 89 #861 Autotools: Ensure that the m4 directory always exists. 90 #870 Autotools: Simplify handling of SIZEOF_VOID_P 91 #869 Autotools: Support non-GNU sed 92 #856 Autotools|CMake: Fix main() to main(void) 93 #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM 94 #863 Autotools|CMake: Stop requiring dos2unix 95 #854 #855 CMake: Fix check for symbols size_t and off_t 96 #864 docs|tests: Convert README to Markdown and update 97 #741 Windows: Drop support for Visual Studio <=15.0/2017 98 #886 Drop needless XML_DTD guards around is_param access 99 #885 Fix typo in a code comment 100 #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) 101 to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ 102 for what these numbers do 103 104 Infrastructure: 105 #880 Readme: Promote the call for help 106 #868 CI: Fix various issues 107 #849 CI: Allow triggering GitHub Actions workflows manually 108 #851 #872 .. 109 #873 #879 CI: Adapt to breaking changes in GitHub Actions 110 111 Special thanks to: 112 Alexander Bluhm 113 Berkay Eren Ürün 114 Dag-Erling Smørgrav 115 Ferenc Géczi 116 TaiYou 117 118Release 2.6.2 Wed March 13 2024 119 Security fixes: 120 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with 121 isolated use of external parsers. Please see the commit 122 message of commit 1d50b80cf31de87750103656f6eb693746854aa8 123 for details. 124 125 Bug fixes: 126 #839 #841 Reject direct parameter entity recursion 127 and avoid the related undefined behavior 128 129 Other changes: 130 #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces 131 #837 Add missing #821 and #824 to 2.6.1 change log 132 #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) 133 to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ 134 for what these numbers do 135 136 Special thanks to: 137 Philippe Antoine 138 Tomas Korbar 139 and 140 Clang UndefinedBehaviorSanitizer 141 OSS-Fuzz / ClusterFuzz 142 143Release 2.6.1 Thu February 29 2024 144 Bug fixes: 145 #817 Make tests independent of CPU speed, and thus more robust 146 #828 #836 Expose billion laughs API with XML_DTD defined and 147 XML_GE undefined, regression from 2.6.0 148 149 Other changes: 150 #829 Hide test-only code behind new internal macro 151 #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P 152 #821 #824 Autotools: Fix "make clean" for case: 153 ./configure --without-docbook && make clean all 154 #819 Address compiler warnings 155 #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) 156 to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ 157 for what these numbers do 158 159 Infrastructure: 160 #818 CI: Adapt to breaking changes in clang-format 161 162 Special thanks to: 163 David Hall 164 Snild Dolkow 165 166Release 2.6.0 Tue February 6 2024 167 Security fixes: 168 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens 169 that can cause denial of service, in partial where 170 dealing with compressed XML input. Applications 171 that parsed a document in one go -- a single call to 172 functions XML_Parse or XML_ParseBuffer -- were not affected. 173 The smaller the chunks/buffers you use for parsing 174 previously, the bigger the problem prior to the fix. 175 Backporters should be careful to no omit parts of 176 pull request #789 and to include earlier pull request #771, 177 in order to not break the fix. 178 #777 CVE-2023-52426 -- Fix billion laughs attacks for users 179 compiling *without* XML_DTD defined (which is not common). 180 Users with XML_DTD defined have been protected since 181 Expat >=2.4.0 (and that was CVE-2013-0340 back then). 182 183 Bug fixes: 184 #753 Fix parse-size-dependent "invalid token" error for 185 external entities that start with a byte order mark 186 #780 Fix NULL pointer dereference in setContext via 187 XML_ExternalEntityParserCreate for compilation with 188 XML_DTD undefined 189 #812 #813 Protect against closing entities out of order 190 191 Other changes: 192 #723 Improve support for arc4random/arc4random_buf 193 #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse 194 #761 #770 xmlwf: Support --help and --version 195 #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read 196 #744 xmlwf: Improve language and URL clickability in help output 197 #673 examples: Add new example "element_declarations.c" 198 #764 Be stricter about macro XML_CONTEXT_BYTES at build time 199 #765 Make inclusion to expat_config.h consistent 200 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode 201 #678 #705 .. 202 #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 203 #795 Autotools: Make installation of shipped man page doc/xmlwf.1 204 independent of docbook2man availability 205 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file 206 section "Cflags.private" in order to fix compilation 207 against static libexpat using pkg-config on Windows 208 #724 #751 Autotools|CMake: Require a C99 compiler 209 (a de-facto requirement already since Expat 2.2.2 of 2017) 210 #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable 211 #750 #786 Autotools|CMake: Make test suite require a C++11 compiler 212 #749 CMake: Require CMake >=3.5.0 213 #672 CMake: Lowercase off_t and size_t to help a bug in Meson 214 #746 CMake: Sort xmlwf sources alphabetically 215 #785 CMake|Windows: Fix generation of DLL file version info 216 #790 CMake: Build tests/benchmark/benchmark.c as well for 217 a build with -DEXPAT_BUILD_TESTS=ON 218 #745 #757 docs: Document the importance of isFinal + adjust tests 219 accordingly 220 #736 docs: Improve use of "NULL" and "null" 221 #713 docs: Be specific about version of XML (XML 1.0r4) 222 and version of C (C99); (XML 1.0r5 will need a sponsor.) 223 #762 docs: reference.html: Promote function XML_ParseBuffer more 224 #779 docs: reference.html: Add HTML anchors to XML_* macros 225 #760 docs: reference.html: Upgrade to OK.css 1.2.0 226 #763 #739 docs: Fix typos 227 #696 docs|CI: Use HTTPS URLs instead of HTTP at various places 228 #669 #670 .. 229 #692 #703 .. 230 #733 #772 Address compiler warnings 231 #798 #800 Address clang-tidy warnings 232 #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) 233 to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ 234 for what these numbers do 235 236 Infrastructure: 237 #700 #701 docs: Document security policy in file SECURITY.md 238 #766 docs: Improve parse buffer variables in-code documentation 239 #674 #738 .. 240 #740 #747 .. 241 #748 #781 #782 Refactor coverage and conformance tests 242 #714 #716 Refactor debug level variables to unsigned long 243 #671 Improve handling of empty environment variable value 244 in function getDebugLevel (without visible user effect) 245 #755 #774 .. 246 #758 #783 .. 247 #784 #787 tests: Improve test coverage with regard to parse chunk size 248 #660 #797 #801 Fuzzing: Improve fuzzing coverage 249 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests 250 #698 #721 CI: Resolve some Travis CI leftovers 251 #669 CI: Be robust towards absence of Git tags 252 #693 #694 CI: Set permissions to "contents: read" for security 253 #709 CI: Pin all GitHub Actions to specific commits for security 254 #739 CI: Reject spelling errors using codespell 255 #798 CI: Enforce clang-tidy clean code 256 #773 #808 .. 257 #809 #810 CI: Upgrade Clang from 15 to 18 258 #796 CI: Start using Clang's Control Flow Integrity sanitizer 259 #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images 260 #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging 261 #763 CI: Adapt to breaking changes in codespell 262 #803 CI: Adapt to breaking changes in Cppcheck 263 264 Special thanks to: 265 Ivan Galkin 266 Joyce Brum 267 Philippe Antoine 268 Rhodri James 269 Snild Dolkow 270 spookyahell 271 Steven Garske 272 and 273 Clang AddressSanitizer 274 Clang UndefinedBehaviorSanitizer 275 codespell 276 GCC Farm Project 277 OSS-Fuzz 278 Sony Mobile 279 280Release 2.5.0 Tue October 25 2022 281 Security fixes: 282 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager 283 destruction of a shared DTD in function 284 XML_ExternalEntityParserCreate in out-of-memory situations. 285 Expected impact is denial of service or potentially 286 arbitrary code execution. 287 288 Bug fixes: 289 #612 #645 Fix corruption from undefined entities 290 #613 #654 Fix case when parsing was suspended while processing nested 291 entities 292 #616 #652 #653 Stop leaking opening tag bindings after a closing tag 293 mismatch error where a parser is reset through 294 XML_ParserReset and then reused to parse 295 #656 CMake: Fix generation of pkg-config file 296 #658 MinGW|CMake: Fix static library name 297 298 Other changes: 299 #663 Protect header expat_config.h from multiple inclusion 300 #666 examples: Make use of XML_GetBuffer and be more 301 consistent across examples 302 #648 Address compiler warnings 303 #667 #668 Version info bumped from 9:9:8 to 9:10:8; 304 see https://verbump.de/ for what these numbers do 305 306 Special thanks to: 307 Jann Horn 308 Mark Brand 309 Osyotr 310 Rhodri James 311 and 312 Google Project Zero 313 314Release 2.4.9 Tue September 20 2022 315 Security fixes: 316 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in 317 function doContent. Expected impact is denial of service 318 or potentially arbitrary code execution. 319 320 Bug fixes: 321 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 322 #614 docs: Fix documentation on effect of switch XML_DTD on 323 symbol visibility in doc/reference.html 324 325 Other changes: 326 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output 327 #596 #625 Autotools: Sync CMake templates with CMake 3.22 328 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to 329 dedicated variables EXPAT_*_POSTFIX to stop affecting 330 other projects 331 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners 332 and fuzzers 333 #512 #621 Windows|CMake: Render .def file from a template to fix 334 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON 335 #611 #621 MinGW|CMake: Apply MSVC .def file when linking 336 #622 #624 MinGW|CMake: Sync library name with GNU Autotools, 337 i.e. produce libexpat-1.dll rather than libexpat.dll 338 by default. Filename libexpat.dll.a is unaffected. 339 #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in 340 toolchain file "cmake/mingw-toolchain.cmake" to avoid 341 error "windres: Command not found" on e.g. Ubuntu 20.04 342 #597 #627 CMake: Unify inconsistent use of set() and option() in 343 context of public build time options to take need for 344 set(.. FORCE) in projects using Expat by means of 345 add_subdirectory(..) off Expat's users' shoulders 346 #626 #641 Stop exporting API symbols when building a static library 347 #644 Resolve use of deprecated "fgrep" by "grep -F" 348 #620 CMake: Make documentation on variables a bit more consistent 349 #636 CMake: Drop leading whitespace from a #cmakedefine line in 350 file expat_config.h.cmake 351 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp 352 #592 #593 #610 Address Cppcheck warnings 353 #643 Address Clang 15 compiler warnings 354 #642 #644 Version info bumped from 9:8:8 to 9:9:8; 355 see https://verbump.de/ for what these numbers do 356 357 Infrastructure: 358 #597 #598 CI: Windows: Start covering MSVC 2022 359 #619 CI: macOS: Migrate off deprecated macOS 10.15 360 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work 361 #643 CI: Upgrade Clang from 14 to 15 362 #637 apply-clang-format.sh: Add support for BSD find 363 #633 coverage.sh: Exclude MinGW headers 364 #635 coverage.sh: Fix name collision for -funsigned-char 365 366 Special thanks to: 367 David Faure 368 Felix Wilhelm 369 Frank Bergmann 370 Rhodri James 371 Rosen Penev 372 Thijs Schreijer 373 Vincent Torri 374 and 375 Google Project Zero 376 377Release 2.4.8 Mon March 28 2022 378 Other changes: 379 #587 pkg-config: Move "-lm" to section "Libs.private" 380 #587 CMake|MSVC: Fix pkg-config section "Libs" 381 #55 #582 CMake|macOS: Start using linker arguments 382 "-compatibility_version <version>" and 383 "-current_version <version>" in a way compatible with 384 GNU Libtool 385 #590 #591 Version info bumped from 9:7:8 to 9:8:8; 386 see https://verbump.de/ for what these numbers do 387 388 Infrastructure: 389 #589 CI: Upgrade Clang from 13 to 14 390 391 Special thanks to: 392 evpobr 393 Kai Pastor 394 Sam James 395 396Release 2.4.7 Fri March 4 2022 397 Bug fixes: 398 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 399 with regard to all valid URI characters (RFC 3986), 400 i.e. the following set (excluding whitespace): 401 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 402 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 403 404 Other changes: 405 #555 #570 #581 CMake|Windows: Store Expat version in the DLL 406 #577 Document consequences of namespace separator choices not just 407 in doc/reference.html but also in header <expat.h> 408 #577 Document Expat's lack of validation of namespace URIs against 409 RFC 3986, and that the XML 1.0r4 specification doesn't 410 require Expat to validate namespace URIs, and that Expat 411 may do more in that regard in future releases. 412 If you find need for strict RFC 3986 URI validation on 413 application level today, https://uriparser.github.io/ may 414 be of interest. 415 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 416 #575 Document that a call to XML_FreeContentModel can be done at 417 a later time from outside the element declaration handler 418 #574 Make hardcoded namespace URIs easier to find in code 419 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 420 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 421 4.8.2 on Solaris. 422 #578 #580 Version info bumped from 9:6:8 to 9:7:8; 423 see https://verbump.de/ for what these numbers do 424 425 Special thanks to: 426 Jeffrey Walton 427 Johnny Jazeix 428 Thijs Schreijer 429 430Release 2.4.6 Sun February 20 2022 431 Bug fixes: 432 #566 Fix a regression introduced by the fix for CVE-2022-25313 433 in release 2.4.5 that affects applications that (1) 434 call function XML_SetElementDeclHandler and (2) are 435 parsing XML that contains nested element declarations 436 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 437 438 Other changes: 439 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 440 see https://verbump.de/ for what these numbers do 441 442 Special thanks to: 443 Matt Sergeant 444 Samanta Navarro 445 Sergei Trofimovich 446 and 447 NixOS 448 Perl XML::Parser 449 450Release 2.4.5 Fri February 18 2022 451 Security fixes: 452 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 453 sequences (e.g. from start tag names) to the XML 454 processing application on top of Expat can cause 455 arbitrary damage (e.g. code execution) depending 456 on how invalid UTF-8 is handled inside the XML 457 processor; validation was not their job but Expat's. 458 Exploits with code execution are known to exist. 459 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 460 characters in "xmlns[:prefix]" attribute values 461 made Expat send malformed tag names to the XML 462 processor on top of Expat which can cause 463 arbitrary damage (e.g. code execution) depending 464 on such unexpectable cases are handled inside the XML 465 processor; validation was not their job but Expat's. 466 Exploits with code execution are known to exist. 467 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 468 that could be triggered by e.g. a 2 megabytes 469 file with a large number of opening braces. 470 Expected impact is denial of service or potentially 471 arbitrary code execution. 472 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 473 only affects the encoding name parameter at parser creation 474 time which is often hardcoded (rather than user input), 475 takes a value in the gigabytes to trigger, and a 64-bit 476 machine. Expected impact is denial of service. 477 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 478 needs input in the gigabytes and a 64-bit machine. 479 Expected impact is denial of service or potentially 480 arbitrary code execution. 481 482 Other changes: 483 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 484 see https://verbump.de/ for what these numbers do 485 486 Special thanks to: 487 Ivan Fratric 488 Samanta Navarro 489 and 490 Google Project Zero 491 JetBrains 492 493Release 2.4.4 Sun January 30 2022 494 Security fixes: 495 #550 CVE-2022-23852 -- Fix signed integer overflow 496 (undefined behavior) in function XML_GetBuffer 497 (that is also called by function XML_Parse internally) 498 for when XML_CONTEXT_BYTES is defined to >0 (which is both 499 common and default). 500 Impact is denial of service or more. 501 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 502 doProlog triggered by large content in element type 503 declarations when there is an element declaration handler 504 present (from a prior call to XML_SetElementDeclHandler). 505 Impact is denial of service or more. 506 507 Bug fixes: 508 #544 #545 xmlwf: Fix a memory leak on output file opening error 509 510 Other changes: 511 #546 Autotools: Fix broken CMake support under Cygwin 512 #554 Windows: Add missing files to the installer to fix 513 compilation with CMake from installed sources 514 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 515 see https://verbump.de/ for what these numbers do 516 517 Special thanks to: 518 Carlo Bramini 519 hwt0415 520 Roland Illig 521 Samanta Navarro 522 and 523 Clang LeakSan and the Clang team 524 525Release 2.4.3 Sun January 16 2022 526 Security fixes: 527 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 528 resulting in 529 a) realloc acting as free 530 b) realloc allocating too few bytes 531 c) undefined behavior 532 depending on architecture and precise value 533 for XML documents with >=2^27+1 prefixed attributes 534 on a single XML tag a la 535 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 536 where XML_ParserCreateNS is used to create the parser 537 (which needs argument "-n" when running xmlwf). 538 Impact is denial of service, or more. 539 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 540 on variable m_groupSize in function doProlog leading 541 to realloc acting as free. 542 Impact is denial of service or more. 543 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 544 near memory allocation at multiple places. Mitre assigned 545 a dedicated CVE for each involved internal C function: 546 - CVE-2022-22822 for function addBinding 547 - CVE-2022-22823 for function build_model 548 - CVE-2022-22824 for function defineAttribute 549 - CVE-2022-22825 for function lookup 550 - CVE-2022-22826 for function nextScaffoldPart 551 - CVE-2022-22827 for function storeAtts 552 Impact is denial of service or more. 553 554 Other changes: 555 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 556 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 557 and MSYS2 by not going through Wine on these platforms 558 #527 #528 Address compiler warnings 559 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 560 see https://verbump.de/ for what these numbers do 561 562 Infrastructure: 563 #536 CI: Check for realistic minimum CMake version 564 #529 #539 CI: Cover compilation with -m32 565 #529 CI: Store coverage reports as artifacts for download 566 #528 CI: Upgrade Clang from 11 to 13 567 568 Special thanks to: 569 An anonymous whitehat 570 Christopher Degawa 571 J. Peter Mugaas 572 Tyson Smith 573 and 574 GCC Farm Project 575 Trend Micro Zero Day Initiative 576 577Release 2.4.2 Sun December 19 2021 578 Other changes: 579 #509 #510 Link againgst libm for function "isnan" 580 #513 #514 Include expat_config.h as early as possible 581 #498 Autotools: Include files with release archives: 582 - buildconf.sh 583 - fuzz/*.c 584 #507 #519 Autotools: Sync CMake templates with CMake 3.20 585 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 586 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 587 - multi-config CMake generators (e.g. Ninja Multi-Config) 588 #502 #503 docs: Document that function XML_GetBuffer may return NULL 589 when asking for a buffer of 0 (zero) bytes size 590 #522 #523 docs: Fix return value docs for both 591 XML_SetBillionLaughsAttackProtection* functions 592 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 593 see https://verbump.de/ for what these numbers do 594 595 Special thanks to: 596 Donghee Na 597 Joergen Ibsen 598 Kai Pastor 599 600Release 2.4.1 Sun May 23 2021 601 Bug fixes: 602 #488 #490 Autotools: Fix installed header expat_config.h for multilib 603 systems; regression introduced in 2.4.0 by pull request #486 604 605 Other changes: 606 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 607 see https://verbump.de/ for what these numbers do 608 609 Special thanks to: 610 Gentoo's QA check "multilib_check_headers" 611 612Release 2.4.0 Sun May 23 2021 613 Security fixes: 614 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 615 (denial-of-service; flavors targeting CPU time or RAM or both, 616 leveraging general entities or parameter entities or both) 617 by tracking and limiting the input amplification factor 618 (<amplification> := (<direct> + <indirect>) / <direct>). 619 By conservative default, amplification up to a factor of 100.0 620 is tolerated and rejection only starts after 8 MiB of output bytes 621 (=<direct> + <indirect>) have been processed. 622 The fix adds the following to the API: 623 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 624 signals this specific condition. 625 - Two new API functions .. 626 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 627 - XML_SetBillionLaughsAttackProtectionActivationThreshold 628 .. to further tighten billion laughs protection parameters 629 when desired. Please see file "doc/reference.html" for details. 630 If you ever need to increase the defaults for non-attack XML 631 payload, please file a bug report with libexpat. 632 - Two new XML_FEATURE_* constants .. 633 - that can be queried using the XML_GetFeatureList function, and 634 - that are shown in "xmlwf -v" output. 635 - Two new environment variable switches .. 636 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 637 - EXPAT_ENTITY_DEBUG=(0|1) 638 .. for runtime debugging of accounting and entity processing. 639 Specific behavior of these values may change in the future. 640 - Two new command line arguments "-a FACTOR" and "-b BYTES" 641 for xmlwf to further tighten billion laughs protection 642 parameters when desired. 643 If you ever need to increase the defaults for non-attack XML 644 payload, please file a bug report with libexpat. 645 646 Bug fixes: 647 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 648 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 649 for UTF-16 payloads containing CDATA sections. 650 #485 #486 Autotools: Fix generated CMake files for non-64bit and 651 non-Linux platforms (e.g. macOS and MinGW in particular) 652 that were introduced with release 2.3.0 653 654 Other changes: 655 #468 #469 xmlwf: Improve help output and the xmlwf man page 656 #463 xmlwf: Improve maintainability through some refactoring 657 #477 xmlwf: Fix man page DocBook validity 658 #456 Autotools: Sync CMake templates with CMake 3.18 659 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 660 and CMAKE_INSTALL_INCLUDEDIR 661 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 662 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 663 #467 Resolve macro HAVE_EXPAT_CONFIG_H 664 #472 Delete unused legacy helper file "conftools/PrintPath" 665 #473 #483 Improve attribution 666 #464 #465 #477 doc/reference.html: Fix XHTML validity 667 #475 #478 doc/reference.html: Replace the 90s look by OK.css 668 #479 Version info bumped from 8:0:7 to 9:0:8 669 due to addition of new symbols and error codes; 670 see https://verbump.de/ for what these numbers do 671 672 Infrastructure: 673 #456 CI: Enable periodic runs 674 #457 CI: Start covering the list of exported symbols 675 #474 CI: Isolate coverage task 676 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 677 #477 CI: Cover well-formedness and DocBook/XHTML validity 678 of doc/reference.html and doc/xmlwf.xml 679 680 Special thanks to: 681 Dimitry Andric 682 Eero Helenius 683 Nick Wellnhofer 684 Rhodri James 685 Tomas Korbar 686 Yury Gribov 687 and 688 Clang LeakSan 689 JetBrains 690 OSS-Fuzz 691 692Release 2.3.0 Thu March 25 2021 693 Bug fixes: 694 #438 When calling XML_ParseBuffer without a prior successful call to 695 XML_GetBuffer as a user, no longer trigger undefined behavior 696 (by adding an integer to a NULL pointer) but rather return 697 XML_STATUS_ERROR and set the error code to (new) code 698 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 699 of Clang 11 (but not Clang 9). 700 #444 xmlwf: Exit status 2 was used for both: 701 - malformed input files (documented) and 702 - invalid command-line arguments (undocumented). 703 The case of invalid command-line arguments now 704 has its own exit status 4, resolving the ambiguity. 705 706 Other changes: 707 #439 xmlwf: Add argument -k to allow continuing after 708 non-fatal errors 709 #439 xmlwf: Add section about exit status to the -h help output 710 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 711 #434 Windows: CMake: Detect unsupported Visual Studio at 712 configure time (rather than at compile time) 713 #382 #428 testrunner: Make verbose mode (argument "-v") report 714 about passed tests, and make default mode report about 715 failures, as well. 716 #442 CMake: Call "enable_language(CXX)" prior to tinkering 717 with CMAKE_CXX_* variables 718 #448 Document use of libexpat from a CMake-based project 719 #451 Autotools: Install CMake files as generated by CMake 3.19.6 720 so that users with "find_package(expat [..] CONFIG [..])" 721 are served on distributions that are *not* using the CMake 722 build system inside for libexpat packaging 723 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 724 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 725 #441 Address compiler warnings 726 #443 Version info bumped from 7:12:6 to 8:0:7 727 due to addition of error code XML_ERROR_NO_BUFFER 728 (see https://verbump.de/ for what these numbers do) 729 730 Infrastructure: 731 #435 #446 Replace Travis CI by GitHub Actions 732 733 Special thanks to: 734 Alexander Richardson 735 Oleksandr Popovych 736 Thomas Beutlich 737 Tim Bray 738 and 739 Clang LeakSan, Clang 11 UBSan and the Clang team 740 741Release 2.2.10 Sat October 3 2020 742 Bug fixes: 743 #390 #395 #398 Fix undefined behavior during parsing caused by 744 pointer arithmetic with NULL pointers 745 #404 #405 Fix reading uninitialized variable during parsing 746 #406 xmlwf: Add missing check for malloc NULL return 747 748 Other changes: 749 #396 Windows: Drop support for Visual Studio <=8.0/2005 750 #409 Windows: Add missing file "Changes" to the installer 751 to fix compilation with CMake from installed sources 752 #403 xmlwf: Document exit codes in xmlwf manpage and 753 exit with code 3 (rather than code 1) for output errors 754 when used with "-d DIRECTORY" 755 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 756 #383 #392 Autotools: Use -Werror while configure tests the compiler 757 for supported compile flags to avoid false positives 758 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 759 e.g. ensure that they have the last word over flags added 760 while running ./configure 761 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 762 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 763 #360 CMake: Detect and deny unsupported build combinations 764 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 765 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 766 of -DEXPAT_BUILD_DOCS=OFF 767 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 768 #407 #408 CMake: Keep expat target name constant at "expat" 769 (i.e. refrain from using the target name to control 770 build artifact filenames) 771 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 772 Windows 773 CMake: Expose man page compilation as target "xmlwf-manpage" 774 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 775 to control generation of pkg-config file "expat.pc" 776 #424 CMake: Add minimalistic support for building binary packages 777 with CMake target "package"; based on CPack 778 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 779 default OFF to build fuzzer code against OSS-Fuzz and 780 related environment variable LIB_FUZZING_ENGINE 781 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 782 #354 #355 .. 783 #356 #412 Address compiler warnings 784 #368 #369 Address pngcheck warnings with doc/*.png images 785 #425 Version info bumped from 7:11:6 to 7:12:6 786 787 Special thanks to: 788 asavah 789 Ben Wagner 790 Bhargava Shastry 791 Frank Landgraf 792 Jeffrey Walton 793 Joe Orton 794 Kleber Tarcísio 795 Ma Lin 796 Maciej Sroczyński 797 Mohammed Khajapasha 798 Vadim Zeitlin 799 and 800 Cppcheck 2.0 and the Cppcheck team 801 802Release 2.2.9 Wed September 25 2019 803 Other changes: 804 examples: Drop executable bits from elements.c 805 #349 Windows: Change the name of the Windows DLLs from expat*.dll 806 to libexpat*.dll once more (regression from 2.2.8, first 807 fixed in 1.95.3, issue #61 on SourceForge today, 808 was issue #432456 back then); needs a fix due 809 case-insensitive file systems on Windows and the fact that 810 Perl's XML::Parser::Expat compiles into Expat.dll. 811 #347 Windows: Only define _CRT_RAND_S if not defined 812 Version info bumped from 7:10:6 to 7:11:6 813 814 Special thanks to: 815 Ben Wagner 816 817Release 2.2.8 Fri September 13 2019 818 Security fixes: 819 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 820 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 821 and deny internal entities closing the doctype; 822 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 823 824 Bug fixes: 825 #240 Fix cases where XML_StopParser did not have any effect 826 when called from inside of an end element handler 827 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 828 previously, only "-d DIRECTORY" would give you a proper 829 exit code: 830 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 831 2 832 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 833 0 834 Now both cases return exit code 2. 835 836 Other changes: 837 #299 #302 Windows: Replace LoadLibrary hack to access 838 unofficial API function SystemFunction036 (RtlGenRandom) 839 by using official API function rand_s (needs WinXP+) 840 #325 Windows: Drop support for Visual Studio <=7.1/2003 841 and document supported compilers in README.md 842 #286 Windows: Remove COM code from xmlwf; in case it turns 843 out needed later, there will be a dedicated repository 844 below https://github.com/libexpat/ for that code 845 #322 Windows: Remove explicit MSVC solution and project files. 846 You can generate Visual Studio solution files through 847 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 848 #338 xmlwf: Make "xmlwf -h" help output more friendly 849 #339 examples: Improve elements.c 850 #244 #264 Autotools: Add argument --enable-xml-attr-info 851 #239 #301 Autotools: Add arguments 852 --with-getrandom 853 --without-getrandom 854 --with-sys-getrandom 855 --without-sys-getrandom 856 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 857 Autotools: Fix "make run-xmltest" for out-of-source builds 858 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 859 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 860 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 861 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 862 - BUILD_shared -> EXPAT_SHARED_LIBS 863 - BUILD_tests -> EXPAT_BUILD_TESTS 864 - BUILD_tools -> EXPAT_BUILD_TOOLS 865 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 866 - INSTALL -> EXPAT_ENABLE_INSTALL 867 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 868 - USE_libbsd -> EXPAT_WITH_LIBBSD 869 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 870 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 871 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 872 - XML_DTD -> EXPAT_DTD 873 - XML_NS -> EXPAT_NS 874 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 875 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 876 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 877 default OFF 878 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 879 default OFF 880 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 881 default OFF 882 #239 #277 CMake: Add arguments 883 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 884 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 885 #326 CMake: Install expat_config.h to include directory 886 #326 CMake: Generate and install configuration files for 887 future find_package(expat [..] CONFIG [..]) 888 CMake: Now produces a summary of applied configuration 889 CMake: Require C++ compiler only when tests are enabled 890 #330 CMake: Fix compilation for 16bit character types, 891 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 892 #265 CMake: Fix linking with MinGW 893 #330 CMake: Add full support for MinGW; to enable, use 894 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 895 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 896 #316 CMake: Windows: Make binary postfix match MSVC 897 Old: expat[d].lib 898 New: expat[w][d][MD|MT].lib 899 CMake: Migrate files from Windows to Unix line endings 900 #308 CMake: Integrate OSS-Fuzz fuzzers, option 901 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 902 #14 Drop an OpenVMS support leftover 903 #235 #268 .. 904 #270 #310 .. 905 #313 #331 #333 Address compiler warnings 906 #282 #283 .. 907 #284 #285 Address cppcheck warnings 908 #294 #295 Address Clang Static Analyzer warnings 909 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 910 Version info bumped from 7:9:6 to 7:10:6 911 912 Special thanks to: 913 David Loffredo 914 Joonun Jang 915 Kishore Kunche 916 Marco Maggi 917 Mitch Phillips 918 Mohammed Khajapasha 919 Rolf Ade 920 xantares 921 Zhongyuan Zhou 922 923Release 2.2.7 Wed June 19 2019 924 Security fixes: 925 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 926 XML names; XML names with multiple colons could end up in 927 the wrong namespace, and take a high amount of RAM and CPU 928 resources while processing, opening the door to 929 use for denial-of-service attacks 930 931 Other changes: 932 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 933 exporting non-API symbols 934 #227 Autotools: Add --without-examples and --without-tests 935 #228 Autotools: Modernize configure.ac 936 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 937 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 938 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 939 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 940 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 941 #219 Remove fallback to bcopy, assume that memmove(3) exists 942 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 943 #243 Windows: Fix syntax of .def module definition files 944 Version info bumped from 7:8:6 to 7:9:6 945 946 Special thanks to: 947 Benjamin Peterson 948 Caolán McNamara 949 Hanno Böck 950 KangLin 951 Kishore Kunche 952 Marco Maggi 953 Rhodri James 954 Sebastian Dröge 955 userwithuid 956 Yury Gribov 957 958Release 2.2.6 Sun August 12 2018 959 Bug fixes: 960 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 961 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 962 a document like '<root/>' 963 964 Other changes: 965 #165 #168 Autotools: Fix docbook-related configure syntax error 966 #166 Autotools: Avoid grep option `-q` for Solaris 967 #167 Autotools: Support 968 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 969 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 970 xmlwf.1 rather than XMLWF.1; also covers case insensitive 971 file systems 972 #181 Autotools: Drop -rpath option passed to libtool 973 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 974 #188 Autotools/CMake: Support command db2x_docbook2man as well 975 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 976 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 977 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 978 both defaulting to OFF 979 #175 CMake: Prefer check_symbol_exists over check_function_exists 980 #176 CMake: Create the same pkg-config file as with GNU Autotools 981 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 982 install directories 983 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 984 #180 Windows: Fix compilation of test suite for Visual Studio 2008 985 #131 #173 #202 Address compiler warnings 986 #187 #190 #200 Fix miscellaneous typos 987 Version info bumped from 7:7:6 to 7:8:6 988 989 Special thanks to: 990 Anton Maklakov 991 Benjamin Peterson 992 Brad King 993 Franek Korta 994 Frank Rast 995 Joe Orton 996 luzpaz 997 Pedro Vicente 998 Rainer Jung 999 Rhodri James 1000 Rolf Ade 1001 Rolf Eike Beer 1002 Thomas Beutlich 1003 Tomasz Kłoczko 1004 1005Release 2.2.5 Tue October 31 2017 1006 Bug fixes: 1007 #8 If the parser runs out of memory, make sure its internal 1008 state reflects the memory it actually has, not the memory 1009 it wanted to have. 1010 #11 The default handler wasn't being called when it should for 1011 a SYSTEM or PUBLIC doctype if an entity declaration handler 1012 was registered. 1013 #137 #138 Fix a case of mistakenly reported parsing success where 1014 XML_StopParser was called from an element handler 1015 #162 Function XML_ErrorString was returning NULL rather than 1016 a message for code XML_ERROR_INVALID_ARGUMENT 1017 introduced with release 2.2.1 1018 1019 Other changes: 1020 #106 xmlwf: Add argument -N adding notation declarations 1021 #75 #106 Test suite: Resolve expected failure cases where xmlwf 1022 output was incomplete 1023 #127 Windows: Fix test suite compilation 1024 #126 #127 Windows: Fix compilation for Visual Studio 2012 1025 Windows: Upgrade shipped project files to Visual Studio 2017 1026 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 1027 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 1028 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 1029 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 1030 Windows or MinGW for 2-byte wchar_t 1031 #9 Address two Clang Static Analyzer false positives 1032 #59 Resolve troublesome macros hiding parser struct membership 1033 and dereferencing that pointer 1034 #6 Resolve superfluous internal malloc/realloc switch 1035 #153 #155 Improve docbook2x-man detection 1036 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 1037 #161 Address compiler warnings 1038 Version info bumped from 7:6:6 to 7:7:6 1039 1040 Special thanks to: 1041 Benbuck Nason 1042 Hans Wennborg 1043 José Gutiérrez de la Concha 1044 Pedro Monreal Gonzalez 1045 Rhodri James 1046 Rolf Ade 1047 Stephen Groat 1048 and 1049 Core Infrastructure Initiative 1050 1051Release 2.2.4 Sat August 19 2017 1052 Bug fixes: 1053 #115 Fix copying of partial characters for UTF-8 input 1054 1055 Other changes: 1056 #109 Fix "make check" for non-x86 architectures that default 1057 to unsigned type char (-128..127 rather than 0..255) 1058 #109 coverage.sh: Cover -funsigned-char 1059 Autotools: Introduce --without-xmlwf argument 1060 #65 Autotools: Replace handwritten Makefile with GNU Automake 1061 #43 CMake: Auto-detect high quality entropy extractors, add new 1062 option USE_libbsd=ON to use arc4random_buf of libbsd 1063 #74 CMake: Add -fno-strict-aliasing only where supported 1064 #114 CMake: Always honor manually set BUILD_* options 1065 #114 CMake: Compile man page if docbook2x-man is available, only 1066 #117 Include file tests/xmltest.log.expected in source tarball 1067 (required for "make run-xmltest") 1068 #117 Include (existing) Visual Studio 2013 files in source tarball 1069 Improve test suite error output 1070 #111 Fix some typos in documentation 1071 Version info bumped from 7:5:6 to 7:6:6 1072 1073 Special thanks to: 1074 Jakub Wilk 1075 Joe Orton 1076 Lin Tian 1077 Rolf Eike Beer 1078 1079Release 2.2.3 Wed August 2 2017 1080 Security fixes: 1081 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 1082 using Steve Holme's LoadLibrary wrapper for/of cURL 1083 1084 Bug fixes: 1085 #85 Fix a dangling pointer issue related to realloc 1086 1087 Other changes: 1088 Increase code coverage 1089 #91 Linux: Allow getrandom to fail if nonblocking pool has not 1090 yet been initialized and read /dev/urandom then, instead. 1091 This is in line with what recent Python does. 1092 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 1093 #86 Check that a UTF-16 encoding in an XML declaration has the 1094 right endianness 1095 #4 #5 #7 Recover correctly when some reallocations fail 1096 Repair "./configure && make" for systems without any 1097 provider of high quality entropy 1098 and try reading /dev/urandom on those 1099 Ensure that user-defined character encodings have converter 1100 functions when they are needed 1101 Fix mis-leading description of argument -c in xmlwf.1 1102 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 1103 for CloudABI 1104 #100 Fix use of SIPHASH_MAIN in siphash.h 1105 #23 Test suite: Fix memory leaks 1106 Version info bumped from 7:4:6 to 7:5:6 1107 1108 Special thanks to: 1109 Chanho Park 1110 Joe Orton 1111 Pascal Cuoq 1112 Rhodri James 1113 Simon McVittie 1114 Vadim Zeitlin 1115 Viktor Szakats 1116 and 1117 Core Infrastructure Initiative 1118 1119Release 2.2.2 Wed July 12 2017 1120 Security fixes: 1121 #43 Protect against compilation without any source of high 1122 quality entropy enabled, e.g. with CMake build system; 1123 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 1124 #60 Windows with _UNICODE: 1125 Unintended use of LoadLibraryW with a non-wide string 1126 resulted in failure to load advapi32.dll and degradation 1127 in quality of used entropy when compiled with _UNICODE for 1128 Windows; you can launch existing binaries with 1129 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 1130 quality of entropy used during runtime; commits 1131 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 1132 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 1133 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 1134 resulted in NULL dereference, previously; 1135 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 1136 1137 Bug fixes: 1138 #69 Fix improper use of unsigned long long integer literals 1139 1140 Other changes: 1141 #73 Start requiring a C99 compiler 1142 #49 Fix "==" Bashism in configure script 1143 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 1144 #52 and macOS 1145 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 1146 #58 Address compile warnings 1147 #68 Fix "./buildconf.sh && ./configure" for some versions 1148 of Dash for /bin/sh 1149 #72 CMake: Ease use of Expat in context of a parent project 1150 with multiple CMakeLists.txt files 1151 #72 CMake: Resolve mistaken executable permissions 1152 #76 Address compile warning with -DNDEBUG (not recommended!) 1153 #77 Address compile warning about macro redefinition 1154 1155 Special thanks to: 1156 Alexander Bluhm 1157 Ben Boeckel 1158 Cătălin Răceanu 1159 Kerin Millar 1160 László Böszörményi 1161 S. P. Zeidler 1162 Segev Finer 1163 Václav Slavík 1164 Victor Stinner 1165 Viktor Szakats 1166 and 1167 Radically Open Security 1168 1169Release 2.2.1 Sat June 17 2017 1170 Security fixes: 1171 CVE-2017-9233 -- External entity infinite loop DoS 1172 Details: https://libexpat.github.io/doc/cve-2017-9233/ 1173 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 1174 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 1175 d4f735b88d9932bd5039df2335eefdd0723dbe20 1176 (Fixed version of existing downstream patches!) 1177 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 1178 longer tag names; commits 1179 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 1180 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 1181 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 1182 #25 More integer overflow detection (function poolGrow); commits 1183 * 810b74e4703dcfdd8f404e3cb177d44684775143 1184 * 44178553f3539ce69d34abee77a05e879a7982ac 1185 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 1186 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 1187 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 1188 [MOX-005] #30 Use high quality entropy for hash initialization: 1189 * arc4random_buf on BSD, systems with libbsd 1190 (when configured with --with-libbsd), CloudABI 1191 * RtlGenRandom on Windows XP / Server 2003 and later 1192 * getrandom on Linux 3.17+ 1193 In a way, that's still part of CVE-2016-5300. 1194 https://github.com/libexpat/libexpat/pull/30/commits 1195 [MOX-005] For the low quality entropy extraction fallback code, 1196 the parser instance address can no longer leak, commit 1197 04ad658bd3079dd15cb60fc67087900f0ff4b083 1198 [MOX-003] Prevent use of uninitialised variable; commit 1199 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 1200 Add missing parameter validation to public API functions 1201 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 1202 [MOX-006] * NULL checks; commits 1203 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 1204 * 9ed727064b675b7180c98cb3d4f75efba6966681 1205 * 6a747c837c50114dfa413994e07c0ba477be4534 1206 * Negative length (XML_Parse); commit 1207 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 1208 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 1209 to go further with fixing CVE-2012-0876. 1210 https://github.com/libexpat/libexpat/pull/39/commits 1211 1212 Bug fixes: 1213 #32 Fix sharing of hash salt across parsers; 1214 relevant where XML_ExternalEntityParserCreate is called 1215 prior to XML_Parse, in particular (e.g. FBReader) 1216 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 1217 as a single chunk) for files larger than ~1 GB (2^30 bytes) 1218 rather than failing with error "out of memory" 1219 #3 Fix double free after malloc failure in DTD code; commit 1220 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 1221 #17 Fix memory leak on parser error for unbound XML attribute 1222 prefix with new namespaces defined in the same tag; 1223 found by Google's OSS-Fuzz; commits 1224 * 16f87daae5a16132e479e4f71862128c7a915c73 1225 * b47dbc9745932c160893d433220e462bd605f8cd 1226 xmlwf on Windows: Add missing calls to CloseHandle 1227 1228 New features: 1229 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 1230 for runtime debugging of entropy extraction 1231 1232 Other changes: 1233 Increase code coverage 1234 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 1235 XML_UNICODE_WCHAR_T was never meant to be used outside 1236 of Windows; 4-byte wchar_t is common on Linux 1237 (SF.net) #538 Start using -fno-strict-aliasing 1238 (SF.net) #540 Support compilation against cloudlibc of CloudABI 1239 Allow MinGW cross-compilation 1240 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 1241 to bypass compilation of the xmlwf.1 man page 1242 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 1243 to bypass installation of expat files 1244 CMake: Fix ninja support 1245 Autotools: Add parameters --enable-xml-context [COUNT] 1246 and --disable-xml-context; default of context of 1024 1247 bytes enabled unchanged 1248 #14 Drop AmigaOS 4.x code and includes 1249 #14 Drop ancient build systems: 1250 * Borland C++ Builder 1251 * OpenVMS 1252 * Open Watcom 1253 * Visual Studio 6.0 1254 * Pre-X Mac OS (MPW Makefile) 1255 If you happen to rely on some of these, please get in 1256 touch for joining with maintenance. 1257 #10 Move from WIN32 to _WIN32 1258 #13 Fix "make run-xmltest" order instability 1259 Address compile warnings 1260 Bump version info from 7:2:6 to 7:3:6 1261 Add AUTHORS file 1262 1263 Infrastructure: 1264 #1 Migrate from SourceForge to GitHub (except downloads): 1265 https://github.com/libexpat/ 1266 #1 Re-create http://libexpat.org/ project website 1267 Start utilizing Travis CI 1268 1269 Special thanks to: 1270 Andy Wang 1271 Don Lewis 1272 Ed Schouten 1273 Karl Waclawek 1274 Pascal Cuoq 1275 Rhodri James 1276 Sergei Nikulov 1277 Tobias Taschner 1278 Viktor Szakats 1279 and 1280 Core Infrastructure Initiative 1281 Mozilla Foundation (MOSS Track 3: Secure Open Source) 1282 Radically Open Security 1283 1284Release 2.2.0 Tue June 21 2016 1285 Security fixes: 1286 #537 CVE-2016-0718 -- Fix crash on malformed input 1287 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 1288 CVE-2015-2716 introduced with Expat 2.1.1 1289 #499 CVE-2016-5300 -- Use more entropy for hash initialization 1290 than the original fix to CVE-2012-0876 1291 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 1292 that was introduced with Expat 2.1.0 1293 when addressing CVE-2012-0876 (issue #496) 1294 1295 Bug fixes: 1296 Fix uninitialized reads of size 1 1297 (e.g. in little2_updatePosition) 1298 Fix detection of UTF-8 character boundaries 1299 1300 Other changes: 1301 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 1302 Autotools: Resolve use of "$<" to better support bmake 1303 Autotools: Add QA script "qa.sh" (and make target "qa") 1304 Autotools: Respect CXXFLAGS if given 1305 Autotools: Fix "make run-xmltest" 1306 Autotools: Have "make run-xmltest" check for expected output 1307 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 1308 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 1309 #323 CMake: Add suffix "d" to differentiate debug from release 1310 CMake: Define WIN32 with CMake on Windows 1311 Annotate memory allocators for GCC 1312 Address all currently known compile warnings 1313 Make sure that API symbols remain visible despite 1314 -fvisibility=hidden 1315 Remove executable flag from source files 1316 Resolve COMPILED_FROM_DSP in favor of WIN32 1317 1318 Special thanks to: 1319 Björn Lindahl 1320 Christian Heimes 1321 Cristian Rodríguez 1322 Daniel Krügler 1323 Gustavo Grieco 1324 Karl Waclawek 1325 László Böszörményi 1326 Marco Grassi 1327 Pascal Cuoq 1328 Sergei Nikulov 1329 Thomas Beutlich 1330 Warren Young 1331 Yann Droneaud 1332 1333Release 2.1.1 Sat March 12 2016 1334 Security fixes: 1335 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 1336 1337 Bug fixes: 1338 #502: Fix potential null pointer dereference 1339 #520: Symbol XML_SetHashSalt was not exported 1340 Output of "xmlwf -h" was incomplete 1341 1342 Other changes: 1343 #503: Document behavior of calling XML_SetHashSalt with salt 0 1344 Minor improvements to man page xmlwf(1) 1345 Improvements to the experimental CMake build system 1346 libtool now invoked with --verbose 1347 1348Release 2.1.0 Sat March 24 2012 1349 - Security fixes: 1350 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 1351 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 1352 #3496608: CVE-2012-0876 - Hash DOS attack. 1353 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 1354 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 1355 - Bug Fixes: 1356 #1742315: Harmful XML_ParserCreateNS suggestion. 1357 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 1358 #1983953, 2517952, 2517962, 2649838: 1359 Build modifications using autoreconf instead of buildconf.sh. 1360 #2815947, #2884086: OBJEXT and EXEEXT support while building. 1361 #2517938: xmlwf should return non-zero exit status if not well-formed. 1362 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 1363 #2855609: Dangling positionPtr after error. 1364 #2990652: CMake support. 1365 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 1366 #3206497: Uninitialized memory returned from XML_Parse. 1367 #3287849: make check fails on mingw-w64. 1368 - Patches: 1369 #1749198: pkg-config support. 1370 #3010222: Fix for bug #3010819. 1371 #3312568: CMake support. 1372 #3446384: Report byte offsets for attr names and values. 1373 - New Features / API changes: 1374 Added new API member XML_SetHashSalt() that allows setting an initial 1375 value (salt) for hash calculations. This is part of the fix for 1376 bug #3496608 to randomize hash parameters. 1377 When compiled with XML_ATTR_INFO defined, adds new API member 1378 XML_GetAttributeInfo() that allows retrieving the byte 1379 offsets for attribute names and values (patch #3446384). 1380 Added CMake build system. 1381 See bug #2990652 and patch #3312568. 1382 Added run-benchmark target to Makefile.in - relies on testdata module 1383 present in the same relative location as in the repository. 1384 1385Release 2.0.1 Tue June 5 2007 1386 - Fixed bugs #1515266, #1515600: The character data handler's calling 1387 of XML_StopParser() was not handled properly; if the parser was 1388 stopped and the handler set to NULL, the parser would segfault. 1389 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 1390 some character constants to be ASCII encoded. 1391 - Minor cleanups of the test harness. 1392 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1393 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1394 - Fixes and improvements for Windows platform: 1395 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1396 - Build fixes for various platforms: 1397 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1398 All Unix: #1554618 (refreshed config.sub/config.guess). 1399 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1400 without relying on GNU-Make specific features. 1401 #1647805: Patched configure.in to work better with Intel compiler. 1402 - Fixes to Makefile.in to have make check work correctly: 1403 bugs #1408143, #1535603, #1536684. 1404 - Added Open Watcom support: patch #1523242. 1405 1406Release 2.0.0 Wed Jan 11 2006 1407 - We no longer use the "check" library for C unit testing; we 1408 always use the (partial) internal implementation of the API. 1409 - Report XML_NS setting via XML_GetFeatureList(). 1410 - Fixed headers for use from C++. 1411 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1412 now return unsigned integers. 1413 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1414 byte indexes and line/column numbers. 1415 - Updated to use libtool 1.5.22 (the most recent). 1416 - Added support for AmigaOS. 1417 - Some mostly minor bug fixes. SF issues include: #1006708, 1418 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1419 1420Release 1.95.8 Fri Jul 23 2004 1421 - Major new feature: suspend/resume. Handlers can now request 1422 that a parse be suspended for later resumption or aborted 1423 altogether. See "Temporarily Stopping Parsing" in the 1424 documentation for more details. 1425 - Some mostly minor bug fixes, but compilation should no 1426 longer generate warnings on most platforms. SF issues 1427 include: #827319, #840173, #846309, #888329, #896188, #923913, 1428 #928113, #961698, #985192. 1429 1430Release 1.95.7 Mon Oct 20 2003 1431 - Fixed enum XML_Status issue (reported on SourceForge many 1432 times), so compilers that are properly picky will be happy. 1433 - Introduced an XMLCALL macro to control the calling 1434 convention used by the Expat API; this macro should be used 1435 to annotate prototypes and definitions of callback 1436 implementations in code compiled with a calling convention 1437 other than the default convention for the host platform. 1438 - Improved ability to build without the configure-generated 1439 expat_config.h header. This is useful for applications 1440 which embed Expat rather than linking in the library. 1441 - Fixed a variety of bugs: see SF issues #458907, #609603, 1442 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1443 #820946. 1444 - Improved hash table lookups. 1445 - Added more regression tests and improved documentation. 1446 1447Release 1.95.6 Tue Jan 28 2003 1448 - Added XML_FreeContentModel(). 1449 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1450 - Fixed a variety of bugs: see SF issues #615606, #616863, 1451 #618199, #653180, #673791. 1452 - Enhanced the regression test suite. 1453 - Man page improvements: includes SF issue #632146. 1454 1455Release 1.95.5 Fri Sep 6 2002 1456 - Added XML_UseForeignDTD() for improved SAX2 support. 1457 - Added XML_GetFeatureList(). 1458 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1459 - Use an incomplete struct instead of a void* for the parser 1460 (may not retain). 1461 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1462 - Finally fixed bug where default handler would report DTD 1463 events that were already handled by another handler. 1464 Initial patch contributed by Darryl Miles. 1465 - Removed unnecessary DllMain() function that caused static 1466 linking into a DLL to be difficult. 1467 - Added VC++ projects for building static libraries. 1468 - Reduced line-length for all source code and headers to be 1469 no longer than 80 characters, to help with AS/400 support. 1470 - Reduced memory copying during parsing (SF patch #600964). 1471 - Fixed a variety of bugs: see SF issues #580793, #434664, 1472 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1473 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1474 1475Release 1.95.4 Fri Jul 12 2002 1476 - Added support for VMS, contributed by Craig Berry. See 1477 vms/README.vms for more information. 1478 - Added Mac OS (classic) support, with a makefile for MPW, 1479 contributed by Thomas Wegner and Daryle Walker. 1480 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1481 by Patrick McConnell (SF patch #538032). 1482 - Fixed a variety of bugs: see SF issues #441449, #563184, 1483 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1484 - Made skippedEntityHandler conform to SAX2 (see source comment) 1485 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1486 added a new error "entity declared in parameter entity": 1487 see SF bug report #569461 and SF patch #578161 1488 - Re-implemented section 5.1 from XML 1.0 spec: 1489 see SF bug report #570263 and SF patch #578161 1490 1491Release 1.95.3 Mon Jun 3 2002 1492 - Added a project to the MSVC workspace to create a wchar_t 1493 version of the library; the DLLs are named libexpatw.dll. 1494 - Changed the name of the Windows DLLs from expat.dll to 1495 libexpat.dll; this fixes SF bug #432456. 1496 - Added the XML_ParserReset() API function. 1497 - Fixed XML_SetReturnNSTriplet() to work for element names. 1498 - Made the XML_UNICODE builds usable (thanks, Karl!). 1499 - Allow xmlwf to read from standard input. 1500 - Install a man page for xmlwf on Unix systems. 1501 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1502 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1503 #547350. Other bugs which we can't test as easily may also 1504 have been fixed, especially in the area of build support. 1505 1506Release 1.95.2 Fri Jul 27 2001 1507 - More changes to make MSVC happy with the build; add a single 1508 workspace to support both the library and xmlwf application. 1509 - Added a Windows installer for Windows users; includes 1510 xmlwf.exe. 1511 - Added compile-time constants that can be used to determine the 1512 Expat version 1513 - Removed a lot of GNU-specific dependencies to aide portability 1514 among the various Unix flavors. 1515 - Fix the UTF-8 BOM bug. 1516 - Cleaned up warning messages for several compilers. 1517 - Added the -Wall, -Wstrict-prototypes options for GCC. 1518 1519Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1520 - Changes to get expat to build under Microsoft compiler 1521 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1522 - Fixed a bug where a stray '%' in an entity value would cause an 1523 abort. 1524 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1525 finding this oversight. 1526 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1527 Thanks to robin@unrated.net for reporting and providing an 1528 account to test on. 1529 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1530 Reported by an anonymous user. 1531 1532Release 1.95.0 Fri Sep 29 2000 1533 - XML_ParserCreate_MM 1534 Allows you to set a memory management suite to replace the 1535 standard malloc,realloc, and free. 1536 - XML_SetReturnNSTriplet 1537 If you turn this feature on when namespace processing is in 1538 effect, then qualified, prefixed element and attribute names 1539 are returned as "uri|name|prefix" where '|' is whatever 1540 separator character is used in namespace processing. 1541 - Merged in features from perl-expat 1542 o XML_SetElementDeclHandler 1543 o XML_SetAttlistDeclHandler 1544 o XML_SetXmlDeclHandler 1545 o XML_SetEntityDeclHandler 1546 o StartDoctypeDeclHandler takes 3 additional parameters: 1547 sysid, pubid, has_internal_subset 1548 o Many paired handler setters (like XML_SetElementHandler) 1549 now have corresponding individual handler setters 1550 o XML_GetInputContext for getting the input context of 1551 the current parse position. 1552 - Added reference material 1553 - Packaged into a distribution that builds a sharable library 1554