Changes 73 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468
  1. __ __ _
  2. ___\ \/ /_ __ __ _| |_
  3. / _ \\ /| '_ \ / _` | __|
  4. | __// \| |_) | (_| | |_
  5. \___/_/\_\ .__/ \__,_|\__|
  6. |_| XML parser
  7. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  8. !! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !!
  9. !! ~~~~~~~~~~~~ !!
  10. !! The following topics need *additional skilled C developers* to progress !!
  11. !! in a timely manner or at all (loosely ordered by descending priority): !!
  12. !! !!
  13. !! - <blink>fixing a complex non-public security issue</blink>, !!
  14. !! - teaming up on researching and fixing future security reports and !!
  15. !! ClusterFuzz findings with few-days-max response times in communication !!
  16. !! in order to (1) have a sound fix ready before the end of a 90 days !!
  17. !! grace period and (2) in a sustainable manner, !!
  18. !! - implementing and auto-testing XML 1.0r5 support !!
  19. !! (needs discussion before pull requests), !!
  20. !! - smart ideas on fixing the Autotools CMake files generation issue !!
  21. !! without breaking CI (needs discussion before pull requests), !!
  22. !! - the Windows binaries topic (needs requirements engineering first), !!
  23. !! - pushing migration from `int` to `size_t` further !!
  24. !! including edge-cases test coverage (needs discussion before anything). !!
  25. !! !!
  26. !! For details, please reach out via e-mail to sebastian@pipping.org so we !!
  27. !! can schedule a voice call on the topic, in English or German. !!
  28. !! !!
  29. !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
  30. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  31. Release 2.6.2 Wed March 13 2024
  32. Security fixes:
  33. #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
  34. isolated use of external parsers. Please see the commit
  35. message of commit 1d50b80cf31de87750103656f6eb693746854aa8
  36. for details.
  37. Bug fixes:
  38. #839 #841 Reject direct parameter entity recursion
  39. and avoid the related undefined behavior
  40. Other changes:
  41. #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
  42. #837 Add missing #821 and #824 to 2.6.1 change log
  43. #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
  44. to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
  45. for what these numbers do
  46. Special thanks to:
  47. Philippe Antoine
  48. Tomas Korbar
  49. and
  50. Clang UndefinedBehaviorSanitizer
  51. OSS-Fuzz / ClusterFuzz
  52. Release 2.6.1 Thu February 29 2024
  53. Bug fixes:
  54. #817 Make tests independent of CPU speed, and thus more robust
  55. #828 #836 Expose billion laughs API with XML_DTD defined and
  56. XML_GE undefined, regression from 2.6.0
  57. Other changes:
  58. #829 Hide test-only code behind new internal macro
  59. #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
  60. #821 #824 Autotools: Fix "make clean" for case:
  61. ./configure --without-docbook && make clean all
  62. #819 Address compiler warnings
  63. #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
  64. to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
  65. for what these numbers do
  66. Infrastructure:
  67. #818 CI: Adapt to breaking changes in clang-format
  68. Special thanks to:
  69. David Hall
  70. Snild Dolkow
  71. Release 2.6.0 Tue February 6 2024
  72. Security fixes:
  73. #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
  74. that can cause denial of service, in partial where
  75. dealing with compressed XML input. Applications
  76. that parsed a document in one go -- a single call to
  77. functions XML_Parse or XML_ParseBuffer -- were not affected.
  78. The smaller the chunks/buffers you use for parsing
  79. previously, the bigger the problem prior to the fix.
  80. Backporters should be careful to no omit parts of
  81. pull request #789 and to include earlier pull request #771,
  82. in order to not break the fix.
  83. #777 CVE-2023-52426 -- Fix billion laughs attacks for users
  84. compiling *without* XML_DTD defined (which is not common).
  85. Users with XML_DTD defined have been protected since
  86. Expat >=2.4.0 (and that was CVE-2013-0340 back then).
  87. Bug fixes:
  88. #753 Fix parse-size-dependent "invalid token" error for
  89. external entities that start with a byte order mark
  90. #780 Fix NULL pointer dereference in setContext via
  91. XML_ExternalEntityParserCreate for compilation with
  92. XML_DTD undefined
  93. #812 #813 Protect against closing entities out of order
  94. Other changes:
  95. #723 Improve support for arc4random/arc4random_buf
  96. #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse
  97. #761 #770 xmlwf: Support --help and --version
  98. #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read
  99. #744 xmlwf: Improve language and URL clickability in help output
  100. #673 examples: Add new example "element_declarations.c"
  101. #764 Be stricter about macro XML_CONTEXT_BYTES at build time
  102. #765 Make inclusion to expat_config.h consistent
  103. #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode
  104. #678 #705 ..
  105. #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26
  106. #795 Autotools: Make installation of shipped man page doc/xmlwf.1
  107. independent of docbook2man availability
  108. #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
  109. section "Cflags.private" in order to fix compilation
  110. against static libexpat using pkg-config on Windows
  111. #724 #751 Autotools|CMake: Require a C99 compiler
  112. (a de-facto requirement already since Expat 2.2.2 of 2017)
  113. #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable
  114. #750 #786 Autotools|CMake: Make test suite require a C++11 compiler
  115. #749 CMake: Require CMake >=3.5.0
  116. #672 CMake: Lowercase off_t and size_t to help a bug in Meson
  117. #746 CMake: Sort xmlwf sources alphabetically
  118. #785 CMake|Windows: Fix generation of DLL file version info
  119. #790 CMake: Build tests/benchmark/benchmark.c as well for
  120. a build with -DEXPAT_BUILD_TESTS=ON
  121. #745 #757 docs: Document the importance of isFinal + adjust tests
  122. accordingly
  123. #736 docs: Improve use of "NULL" and "null"
  124. #713 docs: Be specific about version of XML (XML 1.0r4)
  125. and version of C (C99); (XML 1.0r5 will need a sponsor.)
  126. #762 docs: reference.html: Promote function XML_ParseBuffer more
  127. #779 docs: reference.html: Add HTML anchors to XML_* macros
  128. #760 docs: reference.html: Upgrade to OK.css 1.2.0
  129. #763 #739 docs: Fix typos
  130. #696 docs|CI: Use HTTPS URLs instead of HTTP at various places
  131. #669 #670 ..
  132. #692 #703 ..
  133. #733 #772 Address compiler warnings
  134. #798 #800 Address clang-tidy warnings
  135. #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
  136. to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
  137. for what these numbers do
  138. Infrastructure:
  139. #700 #701 docs: Document security policy in file SECURITY.md
  140. #766 docs: Improve parse buffer variables in-code documentation
  141. #674 #738 ..
  142. #740 #747 ..
  143. #748 #781 #782 Refactor coverage and conformance tests
  144. #714 #716 Refactor debug level variables to unsigned long
  145. #671 Improve handling of empty environment variable value
  146. in function getDebugLevel (without visible user effect)
  147. #755 #774 ..
  148. #758 #783 ..
  149. #784 #787 tests: Improve test coverage with regard to parse chunk size
  150. #660 #797 #801 Fuzzing: Improve fuzzing coverage
  151. #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
  152. #698 #721 CI: Resolve some Travis CI leftovers
  153. #669 CI: Be robust towards absence of Git tags
  154. #693 #694 CI: Set permissions to "contents: read" for security
  155. #709 CI: Pin all GitHub Actions to specific commits for security
  156. #739 CI: Reject spelling errors using codespell
  157. #798 CI: Enforce clang-tidy clean code
  158. #773 #808 ..
  159. #809 #810 CI: Upgrade Clang from 15 to 18
  160. #796 CI: Start using Clang's Control Flow Integrity sanitizer
  161. #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images
  162. #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging
  163. #763 CI: Adapt to breaking changes in codespell
  164. #803 CI: Adapt to breaking changes in Cppcheck
  165. Special thanks to:
  166. Ivan Galkin
  167. Joyce Brum
  168. Philippe Antoine
  169. Rhodri James
  170. Snild Dolkow
  171. spookyahell
  172. Steven Garske
  173. and
  174. Clang AddressSanitizer
  175. Clang UndefinedBehaviorSanitizer
  176. codespell
  177. GCC Farm Project
  178. OSS-Fuzz
  179. Sony Mobile
  180. Release 2.5.0 Tue October 25 2022
  181. Security fixes:
  182. #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
  183. destruction of a shared DTD in function
  184. XML_ExternalEntityParserCreate in out-of-memory situations.
  185. Expected impact is denial of service or potentially
  186. arbitrary code execution.
  187. Bug fixes:
  188. #612 #645 Fix corruption from undefined entities
  189. #613 #654 Fix case when parsing was suspended while processing nested
  190. entities
  191. #616 #652 #653 Stop leaking opening tag bindings after a closing tag
  192. mismatch error where a parser is reset through
  193. XML_ParserReset and then reused to parse
  194. #656 CMake: Fix generation of pkg-config file
  195. #658 MinGW|CMake: Fix static library name
  196. Other changes:
  197. #663 Protect header expat_config.h from multiple inclusion
  198. #666 examples: Make use of XML_GetBuffer and be more
  199. consistent across examples
  200. #648 Address compiler warnings
  201. #667 #668 Version info bumped from 9:9:8 to 9:10:8;
  202. see https://verbump.de/ for what these numbers do
  203. Special thanks to:
  204. Jann Horn
  205. Mark Brand
  206. Osyotr
  207. Rhodri James
  208. and
  209. Google Project Zero
  210. Release 2.4.9 Tue September 20 2022
  211. Security fixes:
  212. #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
  213. function doContent. Expected impact is denial of service
  214. or potentially arbitrary code execution.
  215. Bug fixes:
  216. #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
  217. #614 docs: Fix documentation on effect of switch XML_DTD on
  218. symbol visibility in doc/reference.html
  219. Other changes:
  220. #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
  221. #596 #625 Autotools: Sync CMake templates with CMake 3.22
  222. #608 CMake: Migrate from use of CMAKE_*_POSTFIX to
  223. dedicated variables EXPAT_*_POSTFIX to stop affecting
  224. other projects
  225. #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
  226. and fuzzers
  227. #512 #621 Windows|CMake: Render .def file from a template to fix
  228. linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
  229. #611 #621 MinGW|CMake: Apply MSVC .def file when linking
  230. #622 #624 MinGW|CMake: Sync library name with GNU Autotools,
  231. i.e. produce libexpat-1.dll rather than libexpat.dll
  232. by default. Filename libexpat.dll.a is unaffected.
  233. #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
  234. toolchain file "cmake/mingw-toolchain.cmake" to avoid
  235. error "windres: Command not found" on e.g. Ubuntu 20.04
  236. #597 #627 CMake: Unify inconsistent use of set() and option() in
  237. context of public build time options to take need for
  238. set(.. FORCE) in projects using Expat by means of
  239. add_subdirectory(..) off Expat's users' shoulders
  240. #626 #641 Stop exporting API symbols when building a static library
  241. #644 Resolve use of deprecated "fgrep" by "grep -F"
  242. #620 CMake: Make documentation on variables a bit more consistent
  243. #636 CMake: Drop leading whitespace from a #cmakedefine line in
  244. file expat_config.h.cmake
  245. #594 xmlwf: Fix harmless variable mix-up in function nsattcmp
  246. #592 #593 #610 Address Cppcheck warnings
  247. #643 Address Clang 15 compiler warnings
  248. #642 #644 Version info bumped from 9:8:8 to 9:9:8;
  249. see https://verbump.de/ for what these numbers do
  250. Infrastructure:
  251. #597 #598 CI: Windows: Start covering MSVC 2022
  252. #619 CI: macOS: Migrate off deprecated macOS 10.15
  253. #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
  254. #643 CI: Upgrade Clang from 14 to 15
  255. #637 apply-clang-format.sh: Add support for BSD find
  256. #633 coverage.sh: Exclude MinGW headers
  257. #635 coverage.sh: Fix name collision for -funsigned-char
  258. Special thanks to:
  259. David Faure
  260. Felix Wilhelm
  261. Frank Bergmann
  262. Rhodri James
  263. Rosen Penev
  264. Thijs Schreijer
  265. Vincent Torri
  266. and
  267. Google Project Zero
  268. Release 2.4.8 Mon March 28 2022
  269. Other changes:
  270. #587 pkg-config: Move "-lm" to section "Libs.private"
  271. #587 CMake|MSVC: Fix pkg-config section "Libs"
  272. #55 #582 CMake|macOS: Start using linker arguments
  273. "-compatibility_version <version>" and
  274. "-current_version <version>" in a way compatible with
  275. GNU Libtool
  276. #590 #591 Version info bumped from 9:7:8 to 9:8:8;
  277. see https://verbump.de/ for what these numbers do
  278. Infrastructure:
  279. #589 CI: Upgrade Clang from 13 to 14
  280. Special thanks to:
  281. evpobr
  282. Kai Pastor
  283. Sam James
  284. Release 2.4.7 Fri March 4 2022
  285. Bug fixes:
  286. #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
  287. with regard to all valid URI characters (RFC 3986),
  288. i.e. the following set (excluding whitespace):
  289. ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
  290. 0123456789 % -._~ :/?#[]@ !$&'()*+,;=
  291. Other changes:
  292. #555 #570 #581 CMake|Windows: Store Expat version in the DLL
  293. #577 Document consequences of namespace separator choices not just
  294. in doc/reference.html but also in header <expat.h>
  295. #577 Document Expat's lack of validation of namespace URIs against
  296. RFC 3986, and that the XML 1.0r4 specification doesn't
  297. require Expat to validate namespace URIs, and that Expat
  298. may do more in that regard in future releases.
  299. If you find need for strict RFC 3986 URI validation on
  300. application level today, https://uriparser.github.io/ may
  301. be of interest.
  302. #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
  303. #575 Document that a call to XML_FreeContentModel can be done at
  304. a later time from outside the element declaration handler
  305. #574 Make hardcoded namespace URIs easier to find in code
  306. #573 Update documentation on use of XML_POOR_ENTOPY on Solaris
  307. #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++
  308. 4.8.2 on Solaris.
  309. #578 #580 Version info bumped from 9:6:8 to 9:7:8;
  310. see https://verbump.de/ for what these numbers do
  311. Special thanks to:
  312. Jeffrey Walton
  313. Johnny Jazeix
  314. Thijs Schreijer
  315. Release 2.4.6 Sun February 20 2022
  316. Bug fixes:
  317. #566 Fix a regression introduced by the fix for CVE-2022-25313
  318. in release 2.4.5 that affects applications that (1)
  319. call function XML_SetElementDeclHandler and (2) are
  320. parsing XML that contains nested element declarations
  321. (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
  322. Other changes:
  323. #567 #568 Version info bumped from 9:5:8 to 9:6:8;
  324. see https://verbump.de/ for what these numbers do
  325. Special thanks to:
  326. Matt Sergeant
  327. Samanta Navarro
  328. Sergei Trofimovich
  329. and
  330. NixOS
  331. Perl XML::Parser
  332. Release 2.4.5 Fri February 18 2022
  333. Security fixes:
  334. #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
  335. sequences (e.g. from start tag names) to the XML
  336. processing application on top of Expat can cause
  337. arbitrary damage (e.g. code execution) depending
  338. on how invalid UTF-8 is handled inside the XML
  339. processor; validation was not their job but Expat's.
  340. Exploits with code execution are known to exist.
  341. #561 CVE-2022-25236 -- Passing (one or more) namespace separator
  342. characters in "xmlns[:prefix]" attribute values
  343. made Expat send malformed tag names to the XML
  344. processor on top of Expat which can cause
  345. arbitrary damage (e.g. code execution) depending
  346. on such unexpectable cases are handled inside the XML
  347. processor; validation was not their job but Expat's.
  348. Exploits with code execution are known to exist.
  349. #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
  350. that could be triggered by e.g. a 2 megabytes
  351. file with a large number of opening braces.
  352. Expected impact is denial of service or potentially
  353. arbitrary code execution.
  354. #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
  355. only affects the encoding name parameter at parser creation
  356. time which is often hardcoded (rather than user input),
  357. takes a value in the gigabytes to trigger, and a 64-bit
  358. machine. Expected impact is denial of service.
  359. #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
  360. needs input in the gigabytes and a 64-bit machine.
  361. Expected impact is denial of service or potentially
  362. arbitrary code execution.
  363. Other changes:
  364. #557 #564 Version info bumped from 9:4:8 to 9:5:8;
  365. see https://verbump.de/ for what these numbers do
  366. Special thanks to:
  367. Ivan Fratric
  368. Samanta Navarro
  369. and
  370. Google Project Zero
  371. JetBrains
  372. Release 2.4.4 Sun January 30 2022
  373. Security fixes:
  374. #550 CVE-2022-23852 -- Fix signed integer overflow
  375. (undefined behavior) in function XML_GetBuffer
  376. (that is also called by function XML_Parse internally)
  377. for when XML_CONTEXT_BYTES is defined to >0 (which is both
  378. common and default).
  379. Impact is denial of service or more.
  380. #551 CVE-2022-23990 -- Fix unsigned integer overflow in function
  381. doProlog triggered by large content in element type
  382. declarations when there is an element declaration handler
  383. present (from a prior call to XML_SetElementDeclHandler).
  384. Impact is denial of service or more.
  385. Bug fixes:
  386. #544 #545 xmlwf: Fix a memory leak on output file opening error
  387. Other changes:
  388. #546 Autotools: Fix broken CMake support under Cygwin
  389. #554 Windows: Add missing files to the installer to fix
  390. compilation with CMake from installed sources
  391. #552 #554 Version info bumped from 9:3:8 to 9:4:8;
  392. see https://verbump.de/ for what these numbers do
  393. Special thanks to:
  394. Carlo Bramini
  395. hwt0415
  396. Roland Illig
  397. Samanta Navarro
  398. and
  399. Clang LeakSan and the Clang team
  400. Release 2.4.3 Sun January 16 2022
  401. Security fixes:
  402. #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
  403. resulting in
  404. a) realloc acting as free
  405. b) realloc allocating too few bytes
  406. c) undefined behavior
  407. depending on architecture and precise value
  408. for XML documents with >=2^27+1 prefixed attributes
  409. on a single XML tag a la
  410. "<r xmlns:a='[..]' a:a123='[..]' [..] />"
  411. where XML_ParserCreateNS is used to create the parser
  412. (which needs argument "-n" when running xmlwf).
  413. Impact is denial of service, or more.
  414. #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
  415. on variable m_groupSize in function doProlog leading
  416. to realloc acting as free.
  417. Impact is denial of service or more.
  418. #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
  419. near memory allocation at multiple places. Mitre assigned
  420. a dedicated CVE for each involved internal C function:
  421. - CVE-2022-22822 for function addBinding
  422. - CVE-2022-22823 for function build_model
  423. - CVE-2022-22824 for function defineAttribute
  424. - CVE-2022-22825 for function lookup
  425. - CVE-2022-22826 for function nextScaffoldPart
  426. - CVE-2022-22827 for function storeAtts
  427. Impact is denial of service or more.
  428. Other changes:
  429. #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19
  430. #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
  431. and MSYS2 by not going through Wine on these platforms
  432. #527 #528 Address compiler warnings
  433. #533 #543 Version info bumped from 9:2:8 to 9:3:8;
  434. see https://verbump.de/ for what these numbers do
  435. Infrastructure:
  436. #536 CI: Check for realistic minimum CMake version
  437. #529 #539 CI: Cover compilation with -m32
  438. #529 CI: Store coverage reports as artifacts for download
  439. #528 CI: Upgrade Clang from 11 to 13
  440. Special thanks to:
  441. An anonymous whitehat
  442. Christopher Degawa
  443. J. Peter Mugaas
  444. Tyson Smith
  445. and
  446. GCC Farm Project
  447. Trend Micro Zero Day Initiative
  448. Release 2.4.2 Sun December 19 2021
  449. Other changes:
  450. #509 #510 Link againgst libm for function "isnan"
  451. #513 #514 Include expat_config.h as early as possible
  452. #498 Autotools: Include files with release archives:
  453. - buildconf.sh
  454. - fuzz/*.c
  455. #507 #519 Autotools: Sync CMake templates with CMake 3.20
  456. #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for
  457. - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
  458. - multi-config CMake generators (e.g. Ninja Multi-Config)
  459. #502 #503 docs: Document that function XML_GetBuffer may return NULL
  460. when asking for a buffer of 0 (zero) bytes size
  461. #522 #523 docs: Fix return value docs for both
  462. XML_SetBillionLaughsAttackProtection* functions
  463. #525 #526 Version info bumped from 9:1:8 to 9:2:8;
  464. see https://verbump.de/ for what these numbers do
  465. Special thanks to:
  466. Donghee Na
  467. Joergen Ibsen
  468. Kai Pastor
  469. Release 2.4.1 Sun May 23 2021
  470. Bug fixes:
  471. #488 #490 Autotools: Fix installed header expat_config.h for multilib
  472. systems; regression introduced in 2.4.0 by pull request #486
  473. Other changes:
  474. #491 #492 Version info bumped from 9:0:8 to 9:1:8;
  475. see https://verbump.de/ for what these numbers do
  476. Special thanks to:
  477. Gentoo's QA check "multilib_check_headers"
  478. Release 2.4.0 Sun May 23 2021
  479. Security fixes:
  480. #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
  481. (denial-of-service; flavors targeting CPU time or RAM or both,
  482. leveraging general entities or parameter entities or both)
  483. by tracking and limiting the input amplification factor
  484. (<amplification> := (<direct> + <indirect>) / <direct>).
  485. By conservative default, amplification up to a factor of 100.0
  486. is tolerated and rejection only starts after 8 MiB of output bytes
  487. (=<direct> + <indirect>) have been processed.
  488. The fix adds the following to the API:
  489. - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
  490. signals this specific condition.
  491. - Two new API functions ..
  492. - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
  493. - XML_SetBillionLaughsAttackProtectionActivationThreshold
  494. .. to further tighten billion laughs protection parameters
  495. when desired. Please see file "doc/reference.html" for details.
  496. If you ever need to increase the defaults for non-attack XML
  497. payload, please file a bug report with libexpat.
  498. - Two new XML_FEATURE_* constants ..
  499. - that can be queried using the XML_GetFeatureList function, and
  500. - that are shown in "xmlwf -v" output.
  501. - Two new environment variable switches ..
  502. - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
  503. - EXPAT_ENTITY_DEBUG=(0|1)
  504. .. for runtime debugging of accounting and entity processing.
  505. Specific behavior of these values may change in the future.
  506. - Two new command line arguments "-a FACTOR" and "-b BYTES"
  507. for xmlwf to further tighten billion laughs protection
  508. parameters when desired.
  509. If you ever need to increase the defaults for non-attack XML
  510. payload, please file a bug report with libexpat.
  511. Bug fixes:
  512. #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
  513. or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
  514. for UTF-16 payloads containing CDATA sections.
  515. #485 #486 Autotools: Fix generated CMake files for non-64bit and
  516. non-Linux platforms (e.g. macOS and MinGW in particular)
  517. that were introduced with release 2.3.0
  518. Other changes:
  519. #468 #469 xmlwf: Improve help output and the xmlwf man page
  520. #463 xmlwf: Improve maintainability through some refactoring
  521. #477 xmlwf: Fix man page DocBook validity
  522. #456 Autotools: Sync CMake templates with CMake 3.18
  523. #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
  524. and CMAKE_INSTALL_INCLUDEDIR
  525. #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS
  526. #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
  527. #467 Resolve macro HAVE_EXPAT_CONFIG_H
  528. #472 Delete unused legacy helper file "conftools/PrintPath"
  529. #473 #483 Improve attribution
  530. #464 #465 #477 doc/reference.html: Fix XHTML validity
  531. #475 #478 doc/reference.html: Replace the 90s look by OK.css
  532. #479 Version info bumped from 8:0:7 to 9:0:8
  533. due to addition of new symbols and error codes;
  534. see https://verbump.de/ for what these numbers do
  535. Infrastructure:
  536. #456 CI: Enable periodic runs
  537. #457 CI: Start covering the list of exported symbols
  538. #474 CI: Isolate coverage task
  539. #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
  540. #477 CI: Cover well-formedness and DocBook/XHTML validity
  541. of doc/reference.html and doc/xmlwf.xml
  542. Special thanks to:
  543. Dimitry Andric
  544. Eero Helenius
  545. Nick Wellnhofer
  546. Rhodri James
  547. Tomas Korbar
  548. Yury Gribov
  549. and
  550. Clang LeakSan
  551. JetBrains
  552. OSS-Fuzz
  553. Release 2.3.0 Thu March 25 2021
  554. Bug fixes:
  555. #438 When calling XML_ParseBuffer without a prior successful call to
  556. XML_GetBuffer as a user, no longer trigger undefined behavior
  557. (by adding an integer to a NULL pointer) but rather return
  558. XML_STATUS_ERROR and set the error code to (new) code
  559. XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
  560. of Clang 11 (but not Clang 9).
  561. #444 xmlwf: Exit status 2 was used for both:
  562. - malformed input files (documented) and
  563. - invalid command-line arguments (undocumented).
  564. The case of invalid command-line arguments now
  565. has its own exit status 4, resolving the ambiguity.
  566. Other changes:
  567. #439 xmlwf: Add argument -k to allow continuing after
  568. non-fatal errors
  569. #439 xmlwf: Add section about exit status to the -h help output
  570. #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015
  571. #434 Windows: CMake: Detect unsupported Visual Studio at
  572. configure time (rather than at compile time)
  573. #382 #428 testrunner: Make verbose mode (argument "-v") report
  574. about passed tests, and make default mode report about
  575. failures, as well.
  576. #442 CMake: Call "enable_language(CXX)" prior to tinkering
  577. with CMAKE_CXX_* variables
  578. #448 Document use of libexpat from a CMake-based project
  579. #451 Autotools: Install CMake files as generated by CMake 3.19.6
  580. so that users with "find_package(expat [..] CONFIG [..])"
  581. are served on distributions that are *not* using the CMake
  582. build system inside for libexpat packaging
  583. #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC
  584. #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
  585. #441 Address compiler warnings
  586. #443 Version info bumped from 7:12:6 to 8:0:7
  587. due to addition of error code XML_ERROR_NO_BUFFER
  588. (see https://verbump.de/ for what these numbers do)
  589. Infrastructure:
  590. #435 #446 Replace Travis CI by GitHub Actions
  591. Special thanks to:
  592. Alexander Richardson
  593. Oleksandr Popovych
  594. Thomas Beutlich
  595. Tim Bray
  596. and
  597. Clang LeakSan, Clang 11 UBSan and the Clang team
  598. Release 2.2.10 Sat October 3 2020
  599. Bug fixes:
  600. #390 #395 #398 Fix undefined behavior during parsing caused by
  601. pointer arithmetic with NULL pointers
  602. #404 #405 Fix reading uninitialized variable during parsing
  603. #406 xmlwf: Add missing check for malloc NULL return
  604. Other changes:
  605. #396 Windows: Drop support for Visual Studio <=8.0/2005
  606. #409 Windows: Add missing file "Changes" to the installer
  607. to fix compilation with CMake from installed sources
  608. #403 xmlwf: Document exit codes in xmlwf manpage and
  609. exit with code 3 (rather than code 1) for output errors
  610. when used with "-d DIRECTORY"
  611. #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0
  612. #383 #392 Autotools: Use -Werror while configure tests the compiler
  613. for supported compile flags to avoid false positives
  614. #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS,
  615. e.g. ensure that they have the last word over flags added
  616. while running ./configure
  617. #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
  618. on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
  619. #360 CMake: Detect and deny unsupported build combinations
  620. involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
  621. #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case
  622. of -DEXPAT_BUILD_DOCS=OFF
  623. #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory
  624. #407 #408 CMake: Keep expat target name constant at "expat"
  625. (i.e. refrain from using the target name to control
  626. build artifact filenames)
  627. #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
  628. Windows
  629. CMake: Expose man page compilation as target "xmlwf-manpage"
  630. #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG
  631. to control generation of pkg-config file "expat.pc"
  632. #424 CMake: Add minimalistic support for building binary packages
  633. with CMake target "package"; based on CPack
  634. #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
  635. default OFF to build fuzzer code against OSS-Fuzz and
  636. related environment variable LIB_FUZZING_ENGINE
  637. #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
  638. #354 #355 ..
  639. #356 #412 Address compiler warnings
  640. #368 #369 Address pngcheck warnings with doc/*.png images
  641. #425 Version info bumped from 7:11:6 to 7:12:6
  642. Special thanks to:
  643. asavah
  644. Ben Wagner
  645. Bhargava Shastry
  646. Frank Landgraf
  647. Jeffrey Walton
  648. Joe Orton
  649. Kleber Tarcísio
  650. Ma Lin
  651. Maciej Sroczyński
  652. Mohammed Khajapasha
  653. Vadim Zeitlin
  654. and
  655. Cppcheck 2.0 and the Cppcheck team
  656. Release 2.2.9 Wed September 25 2019
  657. Other changes:
  658. examples: Drop executable bits from elements.c
  659. #349 Windows: Change the name of the Windows DLLs from expat*.dll
  660. to libexpat*.dll once more (regression from 2.2.8, first
  661. fixed in 1.95.3, issue #61 on SourceForge today,
  662. was issue #432456 back then); needs a fix due
  663. case-insensitive file systems on Windows and the fact that
  664. Perl's XML::Parser::Expat compiles into Expat.dll.
  665. #347 Windows: Only define _CRT_RAND_S if not defined
  666. Version info bumped from 7:10:6 to 7:11:6
  667. Special thanks to:
  668. Ben Wagner
  669. Release 2.2.8 Fri September 13 2019
  670. Security fixes:
  671. #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
  672. XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
  673. and deny internal entities closing the doctype;
  674. fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
  675. Bug fixes:
  676. #240 Fix cases where XML_StopParser did not have any effect
  677. when called from inside of an end element handler
  678. #341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
  679. previously, only "-d DIRECTORY" would give you a proper
  680. exit code:
  681. # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
  682. 2
  683. # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
  684. 0
  685. Now both cases return exit code 2.
  686. Other changes:
  687. #299 #302 Windows: Replace LoadLibrary hack to access
  688. unofficial API function SystemFunction036 (RtlGenRandom)
  689. by using official API function rand_s (needs WinXP+)
  690. #325 Windows: Drop support for Visual Studio <=7.1/2003
  691. and document supported compilers in README.md
  692. #286 Windows: Remove COM code from xmlwf; in case it turns
  693. out needed later, there will be a dedicated repository
  694. below https://github.com/libexpat/ for that code
  695. #322 Windows: Remove explicit MSVC solution and project files.
  696. You can generate Visual Studio solution files through
  697. CMake, e.g.: cmake -G"Visual Studio 15 2017" .
  698. #338 xmlwf: Make "xmlwf -h" help output more friendly
  699. #339 examples: Improve elements.c
  700. #244 #264 Autotools: Add argument --enable-xml-attr-info
  701. #239 #301 Autotools: Add arguments
  702. --with-getrandom
  703. --without-getrandom
  704. --with-sys-getrandom
  705. --without-sys-getrandom
  706. #312 #343 Autotools: Fix linking issues with "./configure LD=clang"
  707. Autotools: Fix "make run-xmltest" for out-of-source builds
  708. #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace
  709. prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
  710. - BUILD_doc -> EXPAT_BUILD_DOCS (plural)
  711. - BUILD_examples -> EXPAT_BUILD_EXAMPLES
  712. - BUILD_shared -> EXPAT_SHARED_LIBS
  713. - BUILD_tests -> EXPAT_BUILD_TESTS
  714. - BUILD_tools -> EXPAT_BUILD_TOOLS
  715. - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
  716. - INSTALL -> EXPAT_ENABLE_INSTALL
  717. - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
  718. - USE_libbsd -> EXPAT_WITH_LIBBSD
  719. - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
  720. - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
  721. - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
  722. - XML_DTD -> EXPAT_DTD
  723. - XML_NS -> EXPAT_NS
  724. - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
  725. - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
  726. #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
  727. default OFF
  728. #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
  729. default OFF
  730. #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
  731. default OFF
  732. #239 #277 CMake: Add arguments
  733. -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
  734. -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
  735. #326 CMake: Install expat_config.h to include directory
  736. #326 CMake: Generate and install configuration files for
  737. future find_package(expat [..] CONFIG [..])
  738. CMake: Now produces a summary of applied configuration
  739. CMake: Require C++ compiler only when tests are enabled
  740. #330 CMake: Fix compilation for 16bit character types,
  741. i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
  742. #265 CMake: Fix linking with MinGW
  743. #330 CMake: Add full support for MinGW; to enable, use
  744. -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
  745. #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
  746. #316 CMake: Windows: Make binary postfix match MSVC
  747. Old: expat[d].lib
  748. New: expat[w][d][MD|MT].lib
  749. CMake: Migrate files from Windows to Unix line endings
  750. #308 CMake: Integrate OSS-Fuzz fuzzers, option
  751. -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
  752. #14 Drop an OpenVMS support leftover
  753. #235 #268 ..
  754. #270 #310 ..
  755. #313 #331 #333 Address compiler warnings
  756. #282 #283 ..
  757. #284 #285 Address cppcheck warnings
  758. #294 #295 Address Clang Static Analyzer warnings
  759. #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
  760. Version info bumped from 7:9:6 to 7:10:6
  761. Special thanks to:
  762. David Loffredo
  763. Joonun Jang
  764. Kishore Kunche
  765. Marco Maggi
  766. Mitch Phillips
  767. Mohammed Khajapasha
  768. Rolf Ade
  769. xantares
  770. Zhongyuan Zhou
  771. Release 2.2.7 Wed June 19 2019
  772. Security fixes:
  773. #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from
  774. XML names; XML names with multiple colons could end up in
  775. the wrong namespace, and take a high amount of RAM and CPU
  776. resources while processing, opening the door to
  777. use for denial-of-service attacks
  778. Other changes:
  779. #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop
  780. exporting non-API symbols
  781. #227 Autotools: Add --without-examples and --without-tests
  782. #228 Autotools: Modernize configure.ac
  783. #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang
  784. #247 #248 Autotools: Fix compilation for lack of docbook2x-man
  785. #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives
  786. #212 CMake: Make libdir of pkgconfig expat.pc support multilib
  787. #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
  788. #219 Remove fallback to bcopy, assume that memmove(3) exists
  789. #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD)
  790. #243 Windows: Fix syntax of .def module definition files
  791. Version info bumped from 7:8:6 to 7:9:6
  792. Special thanks to:
  793. Benjamin Peterson
  794. Caolán McNamara
  795. Hanno Böck
  796. KangLin
  797. Kishore Kunche
  798. Marco Maggi
  799. Rhodri James
  800. Sebastian Dröge
  801. userwithuid
  802. Yury Gribov
  803. Release 2.2.6 Sun August 12 2018
  804. Bug fixes:
  805. #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer
  806. #204 #205 Fix 2.2.5 regression with suspend-resume while parsing
  807. a document like '<root/>'
  808. Other changes:
  809. #165 #168 Autotools: Fix docbook-related configure syntax error
  810. #166 Autotools: Avoid grep option `-q` for Solaris
  811. #167 Autotools: Support
  812. ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
  813. #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces
  814. xmlwf.1 rather than XMLWF.1; also covers case insensitive
  815. file systems
  816. #181 Autotools: Drop -rpath option passed to libtool
  817. #188 Autotools: Detect and deny SGML docbook2man as ours is XML
  818. #188 Autotools/CMake: Support command db2x_docbook2man as well
  819. #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
  820. #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
  821. #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
  822. both defaulting to OFF
  823. #175 CMake: Prefer check_symbol_exists over check_function_exists
  824. #176 CMake: Create the same pkg-config file as with GNU Autotools
  825. #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for
  826. install directories
  827. #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
  828. #180 Windows: Fix compilation of test suite for Visual Studio 2008
  829. #131 #173 #202 Address compiler warnings
  830. #187 #190 #200 Fix miscellaneous typos
  831. Version info bumped from 7:7:6 to 7:8:6
  832. Special thanks to:
  833. Anton Maklakov
  834. Benjamin Peterson
  835. Brad King
  836. Franek Korta
  837. Frank Rast
  838. Joe Orton
  839. luzpaz
  840. Pedro Vicente
  841. Rainer Jung
  842. Rhodri James
  843. Rolf Ade
  844. Rolf Eike Beer
  845. Thomas Beutlich
  846. Tomasz Kłoczko
  847. Release 2.2.5 Tue October 31 2017
  848. Bug fixes:
  849. #8 If the parser runs out of memory, make sure its internal
  850. state reflects the memory it actually has, not the memory
  851. it wanted to have.
  852. #11 The default handler wasn't being called when it should for
  853. a SYSTEM or PUBLIC doctype if an entity declaration handler
  854. was registered.
  855. #137 #138 Fix a case of mistakenly reported parsing success where
  856. XML_StopParser was called from an element handler
  857. #162 Function XML_ErrorString was returning NULL rather than
  858. a message for code XML_ERROR_INVALID_ARGUMENT
  859. introduced with release 2.2.1
  860. Other changes:
  861. #106 xmlwf: Add argument -N adding notation declarations
  862. #75 #106 Test suite: Resolve expected failure cases where xmlwf
  863. output was incomplete
  864. #127 Windows: Fix test suite compilation
  865. #126 #127 Windows: Fix compilation for Visual Studio 2012
  866. Windows: Upgrade shipped project files to Visual Studio 2017
  867. #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
  868. #129 examples: Fix compilation for XML_UNICODE_WCHAR_T
  869. #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T
  870. #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs
  871. Windows or MinGW for 2-byte wchar_t
  872. #9 Address two Clang Static Analyzer false positives
  873. #59 Resolve troublesome macros hiding parser struct membership
  874. and dereferencing that pointer
  875. #6 Resolve superfluous internal malloc/realloc switch
  876. #153 #155 Improve docbook2x-man detection
  877. #160 Undefine NDEBUG in the test suite (rather than rejecting it)
  878. #161 Address compiler warnings
  879. Version info bumped from 7:6:6 to 7:7:6
  880. Special thanks to:
  881. Benbuck Nason
  882. Hans Wennborg
  883. José Gutiérrez de la Concha
  884. Pedro Monreal Gonzalez
  885. Rhodri James
  886. Rolf Ade
  887. Stephen Groat
  888. and
  889. Core Infrastructure Initiative
  890. Release 2.2.4 Sat August 19 2017
  891. Bug fixes:
  892. #115 Fix copying of partial characters for UTF-8 input
  893. Other changes:
  894. #109 Fix "make check" for non-x86 architectures that default
  895. to unsigned type char (-128..127 rather than 0..255)
  896. #109 coverage.sh: Cover -funsigned-char
  897. Autotools: Introduce --without-xmlwf argument
  898. #65 Autotools: Replace handwritten Makefile with GNU Automake
  899. #43 CMake: Auto-detect high quality entropy extractors, add new
  900. option USE_libbsd=ON to use arc4random_buf of libbsd
  901. #74 CMake: Add -fno-strict-aliasing only where supported
  902. #114 CMake: Always honor manually set BUILD_* options
  903. #114 CMake: Compile man page if docbook2x-man is available, only
  904. #117 Include file tests/xmltest.log.expected in source tarball
  905. (required for "make run-xmltest")
  906. #117 Include (existing) Visual Studio 2013 files in source tarball
  907. Improve test suite error output
  908. #111 Fix some typos in documentation
  909. Version info bumped from 7:5:6 to 7:6:6
  910. Special thanks to:
  911. Jakub Wilk
  912. Joe Orton
  913. Lin Tian
  914. Rolf Eike Beer
  915. Release 2.2.3 Wed August 2 2017
  916. Security fixes:
  917. #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
  918. using Steve Holme's LoadLibrary wrapper for/of cURL
  919. Bug fixes:
  920. #85 Fix a dangling pointer issue related to realloc
  921. Other changes:
  922. Increase code coverage
  923. #91 Linux: Allow getrandom to fail if nonblocking pool has not
  924. yet been initialized and read /dev/urandom then, instead.
  925. This is in line with what recent Python does.
  926. #81 Pre-10.7/Lion macOS: Support entropy from arc4random
  927. #86 Check that a UTF-16 encoding in an XML declaration has the
  928. right endianness
  929. #4 #5 #7 Recover correctly when some reallocations fail
  930. Repair "./configure && make" for systems without any
  931. provider of high quality entropy
  932. and try reading /dev/urandom on those
  933. Ensure that user-defined character encodings have converter
  934. functions when they are needed
  935. Fix mis-leading description of argument -c in xmlwf.1
  936. Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
  937. for CloudABI
  938. #100 Fix use of SIPHASH_MAIN in siphash.h
  939. #23 Test suite: Fix memory leaks
  940. Version info bumped from 7:4:6 to 7:5:6
  941. Special thanks to:
  942. Chanho Park
  943. Joe Orton
  944. Pascal Cuoq
  945. Rhodri James
  946. Simon McVittie
  947. Vadim Zeitlin
  948. Viktor Szakats
  949. and
  950. Core Infrastructure Initiative
  951. Release 2.2.2 Wed July 12 2017
  952. Security fixes:
  953. #43 Protect against compilation without any source of high
  954. quality entropy enabled, e.g. with CMake build system;
  955. commit ff0207e6076e9828e536b8d9cd45c9c92069b895
  956. #60 Windows with _UNICODE:
  957. Unintended use of LoadLibraryW with a non-wide string
  958. resulted in failure to load advapi32.dll and degradation
  959. in quality of used entropy when compiled with _UNICODE for
  960. Windows; you can launch existing binaries with
  961. EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
  962. quality of entropy used during runtime; commits
  963. * 95b95032f907ef1cd17ee7a9a1768010a825d61d
  964. * 73a5a2e9c081f49f2d775cf7ced864158b68dc80
  965. [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
  966. resulted in NULL dereference, previously;
  967. commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
  968. Bug fixes:
  969. #69 Fix improper use of unsigned long long integer literals
  970. Other changes:
  971. #73 Start requiring a C99 compiler
  972. #49 Fix "==" Bashism in configure script
  973. #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD
  974. #52 and macOS
  975. #51 Address lack of stdint.h in Visual Studio 2003 to 2008
  976. #58 Address compile warnings
  977. #68 Fix "./buildconf.sh && ./configure" for some versions
  978. of Dash for /bin/sh
  979. #72 CMake: Ease use of Expat in context of a parent project
  980. with multiple CMakeLists.txt files
  981. #72 CMake: Resolve mistaken executable permissions
  982. #76 Address compile warning with -DNDEBUG (not recommended!)
  983. #77 Address compile warning about macro redefinition
  984. Special thanks to:
  985. Alexander Bluhm
  986. Ben Boeckel
  987. Cătălin Răceanu
  988. Kerin Millar
  989. László Böszörményi
  990. S. P. Zeidler
  991. Segev Finer
  992. Václav Slavík
  993. Victor Stinner
  994. Viktor Szakats
  995. and
  996. Radically Open Security
  997. Release 2.2.1 Sat June 17 2017
  998. Security fixes:
  999. CVE-2017-9233 -- External entity infinite loop DoS
  1000. Details: https://libexpat.github.io/doc/cve-2017-9233/
  1001. Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
  1002. [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
  1003. d4f735b88d9932bd5039df2335eefdd0723dbe20
  1004. (Fixed version of existing downstream patches!)
  1005. (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
  1006. longer tag names; commits
  1007. * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
  1008. * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
  1009. #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
  1010. #25 More integer overflow detection (function poolGrow); commits
  1011. * 810b74e4703dcfdd8f404e3cb177d44684775143
  1012. * 44178553f3539ce69d34abee77a05e879a7982ac
  1013. [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
  1014. * 4be2cb5afcc018d996f34bbbce6374b7befad47f
  1015. * 7e5b71b748491b6e459e5c9a1d090820f94544d8
  1016. [MOX-005] #30 Use high quality entropy for hash initialization:
  1017. * arc4random_buf on BSD, systems with libbsd
  1018. (when configured with --with-libbsd), CloudABI
  1019. * RtlGenRandom on Windows XP / Server 2003 and later
  1020. * getrandom on Linux 3.17+
  1021. In a way, that's still part of CVE-2016-5300.
  1022. https://github.com/libexpat/libexpat/pull/30/commits
  1023. [MOX-005] For the low quality entropy extraction fallback code,
  1024. the parser instance address can no longer leak, commit
  1025. 04ad658bd3079dd15cb60fc67087900f0ff4b083
  1026. [MOX-003] Prevent use of uninitialised variable; commit
  1027. [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
  1028. Add missing parameter validation to public API functions
  1029. and dedicated error code XML_ERROR_INVALID_ARGUMENT:
  1030. [MOX-006] * NULL checks; commits
  1031. * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
  1032. * 9ed727064b675b7180c98cb3d4f75efba6966681
  1033. * 6a747c837c50114dfa413994e07c0ba477be4534
  1034. * Negative length (XML_Parse); commit
  1035. [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
  1036. [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
  1037. to go further with fixing CVE-2012-0876.
  1038. https://github.com/libexpat/libexpat/pull/39/commits
  1039. Bug fixes:
  1040. #32 Fix sharing of hash salt across parsers;
  1041. relevant where XML_ExternalEntityParserCreate is called
  1042. prior to XML_Parse, in particular (e.g. FBReader)
  1043. #28 xmlwf: Auto-disable use of memory-mapping (and parsing
  1044. as a single chunk) for files larger than ~1 GB (2^30 bytes)
  1045. rather than failing with error "out of memory"
  1046. #3 Fix double free after malloc failure in DTD code; commit
  1047. 7ae9c3d3af433cd4defe95234eae7dc8ed15637f
  1048. #17 Fix memory leak on parser error for unbound XML attribute
  1049. prefix with new namespaces defined in the same tag;
  1050. found by Google's OSS-Fuzz; commits
  1051. * 16f87daae5a16132e479e4f71862128c7a915c73
  1052. * b47dbc9745932c160893d433220e462bd605f8cd
  1053. xmlwf on Windows: Add missing calls to CloseHandle
  1054. New features:
  1055. #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
  1056. for runtime debugging of entropy extraction
  1057. Other changes:
  1058. Increase code coverage
  1059. #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
  1060. XML_UNICODE_WCHAR_T was never meant to be used outside
  1061. of Windows; 4-byte wchar_t is common on Linux
  1062. (SF.net) #538 Start using -fno-strict-aliasing
  1063. (SF.net) #540 Support compilation against cloudlibc of CloudABI
  1064. Allow MinGW cross-compilation
  1065. (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default)
  1066. to bypass compilation of the xmlwf.1 man page
  1067. (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default)
  1068. to bypass installation of expat files
  1069. CMake: Fix ninja support
  1070. Autotools: Add parameters --enable-xml-context [COUNT]
  1071. and --disable-xml-context; default of context of 1024
  1072. bytes enabled unchanged
  1073. #14 Drop AmigaOS 4.x code and includes
  1074. #14 Drop ancient build systems:
  1075. * Borland C++ Builder
  1076. * OpenVMS
  1077. * Open Watcom
  1078. * Visual Studio 6.0
  1079. * Pre-X Mac OS (MPW Makefile)
  1080. If you happen to rely on some of these, please get in
  1081. touch for joining with maintenance.
  1082. #10 Move from WIN32 to _WIN32
  1083. #13 Fix "make run-xmltest" order instability
  1084. Address compile warnings
  1085. Bump version info from 7:2:6 to 7:3:6
  1086. Add AUTHORS file
  1087. Infrastructure:
  1088. #1 Migrate from SourceForge to GitHub (except downloads):
  1089. https://github.com/libexpat/
  1090. #1 Re-create http://libexpat.org/ project website
  1091. Start utilizing Travis CI
  1092. Special thanks to:
  1093. Andy Wang
  1094. Don Lewis
  1095. Ed Schouten
  1096. Karl Waclawek
  1097. Pascal Cuoq
  1098. Rhodri James
  1099. Sergei Nikulov
  1100. Tobias Taschner
  1101. Viktor Szakats
  1102. and
  1103. Core Infrastructure Initiative
  1104. Mozilla Foundation (MOSS Track 3: Secure Open Source)
  1105. Radically Open Security
  1106. Release 2.2.0 Tue June 21 2016
  1107. Security fixes:
  1108. #537 CVE-2016-0718 -- Fix crash on malformed input
  1109. CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
  1110. CVE-2015-2716 introduced with Expat 2.1.1
  1111. #499 CVE-2016-5300 -- Use more entropy for hash initialization
  1112. than the original fix to CVE-2012-0876
  1113. #519 CVE-2012-6702 -- Resolve troublesome internal call to srand
  1114. that was introduced with Expat 2.1.0
  1115. when addressing CVE-2012-0876 (issue #496)
  1116. Bug fixes:
  1117. Fix uninitialized reads of size 1
  1118. (e.g. in little2_updatePosition)
  1119. Fix detection of UTF-8 character boundaries
  1120. Other changes:
  1121. #532 Fix compilation for Visual Studio 2010 (keyword "C99")
  1122. Autotools: Resolve use of "$<" to better support bmake
  1123. Autotools: Add QA script "qa.sh" (and make target "qa")
  1124. Autotools: Respect CXXFLAGS if given
  1125. Autotools: Fix "make run-xmltest"
  1126. Autotools: Have "make run-xmltest" check for expected output
  1127. p90 CMake: Fix static build (BUILD_shared=OFF) on Windows
  1128. #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
  1129. #323 CMake: Add suffix "d" to differentiate debug from release
  1130. CMake: Define WIN32 with CMake on Windows
  1131. Annotate memory allocators for GCC
  1132. Address all currently known compile warnings
  1133. Make sure that API symbols remain visible despite
  1134. -fvisibility=hidden
  1135. Remove executable flag from source files
  1136. Resolve COMPILED_FROM_DSP in favor of WIN32
  1137. Special thanks to:
  1138. Björn Lindahl
  1139. Christian Heimes
  1140. Cristian Rodríguez
  1141. Daniel Krügler
  1142. Gustavo Grieco
  1143. Karl Waclawek
  1144. László Böszörményi
  1145. Marco Grassi
  1146. Pascal Cuoq
  1147. Sergei Nikulov
  1148. Thomas Beutlich
  1149. Warren Young
  1150. Yann Droneaud
  1151. Release 2.1.1 Sat March 12 2016
  1152. Security fixes:
  1153. #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
  1154. Bug fixes:
  1155. #502: Fix potential null pointer dereference
  1156. #520: Symbol XML_SetHashSalt was not exported
  1157. Output of "xmlwf -h" was incomplete
  1158. Other changes:
  1159. #503: Document behavior of calling XML_SetHashSalt with salt 0
  1160. Minor improvements to man page xmlwf(1)
  1161. Improvements to the experimental CMake build system
  1162. libtool now invoked with --verbose
  1163. Release 2.1.0 Sat March 24 2012
  1164. - Security fixes:
  1165. #2958794: CVE-2012-1148 - Memory leak in poolGrow.
  1166. #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
  1167. #3496608: CVE-2012-0876 - Hash DOS attack.
  1168. #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
  1169. #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
  1170. - Bug Fixes:
  1171. #1742315: Harmful XML_ParserCreateNS suggestion.
  1172. #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
  1173. #1983953, 2517952, 2517962, 2649838:
  1174. Build modifications using autoreconf instead of buildconf.sh.
  1175. #2815947, #2884086: OBJEXT and EXEEXT support while building.
  1176. #2517938: xmlwf should return non-zero exit status if not well-formed.
  1177. #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
  1178. #2855609: Dangling positionPtr after error.
  1179. #2990652: CMake support.
  1180. #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
  1181. #3206497: Uninitialized memory returned from XML_Parse.
  1182. #3287849: make check fails on mingw-w64.
  1183. - Patches:
  1184. #1749198: pkg-config support.
  1185. #3010222: Fix for bug #3010819.
  1186. #3312568: CMake support.
  1187. #3446384: Report byte offsets for attr names and values.
  1188. - New Features / API changes:
  1189. Added new API member XML_SetHashSalt() that allows setting an initial
  1190. value (salt) for hash calculations. This is part of the fix for
  1191. bug #3496608 to randomize hash parameters.
  1192. When compiled with XML_ATTR_INFO defined, adds new API member
  1193. XML_GetAttributeInfo() that allows retrieving the byte
  1194. offsets for attribute names and values (patch #3446384).
  1195. Added CMake build system.
  1196. See bug #2990652 and patch #3312568.
  1197. Added run-benchmark target to Makefile.in - relies on testdata module
  1198. present in the same relative location as in the repository.
  1199. Release 2.0.1 Tue June 5 2007
  1200. - Fixed bugs #1515266, #1515600: The character data handler's calling
  1201. of XML_StopParser() was not handled properly; if the parser was
  1202. stopped and the handler set to NULL, the parser would segfault.
  1203. - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
  1204. some character constants to be ASCII encoded.
  1205. - Minor cleanups of the test harness.
  1206. - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
  1207. - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
  1208. - Fixes and improvements for Windows platform:
  1209. bugs #1409451, #1476160, #1548182, #1602769, #1717322.
  1210. - Build fixes for various platforms:
  1211. HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
  1212. All Unix: #1554618 (refreshed config.sub/config.guess).
  1213. #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
  1214. without relying on GNU-Make specific features.
  1215. #1647805: Patched configure.in to work better with Intel compiler.
  1216. - Fixes to Makefile.in to have make check work correctly:
  1217. bugs #1408143, #1535603, #1536684.
  1218. - Added Open Watcom support: patch #1523242.
  1219. Release 2.0.0 Wed Jan 11 2006
  1220. - We no longer use the "check" library for C unit testing; we
  1221. always use the (partial) internal implementation of the API.
  1222. - Report XML_NS setting via XML_GetFeatureList().
  1223. - Fixed headers for use from C++.
  1224. - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
  1225. now return unsigned integers.
  1226. - Added XML_LARGE_SIZE switch to enable 64-bit integers for
  1227. byte indexes and line/column numbers.
  1228. - Updated to use libtool 1.5.22 (the most recent).
  1229. - Added support for AmigaOS.
  1230. - Some mostly minor bug fixes. SF issues include: #1006708,
  1231. #1021776, #1023646, #1114960, #1156398, #1221160, #1271642.
  1232. Release 1.95.8 Fri Jul 23 2004
  1233. - Major new feature: suspend/resume. Handlers can now request
  1234. that a parse be suspended for later resumption or aborted
  1235. altogether. See "Temporarily Stopping Parsing" in the
  1236. documentation for more details.
  1237. - Some mostly minor bug fixes, but compilation should no
  1238. longer generate warnings on most platforms. SF issues
  1239. include: #827319, #840173, #846309, #888329, #896188, #923913,
  1240. #928113, #961698, #985192.
  1241. Release 1.95.7 Mon Oct 20 2003
  1242. - Fixed enum XML_Status issue (reported on SourceForge many
  1243. times), so compilers that are properly picky will be happy.
  1244. - Introduced an XMLCALL macro to control the calling
  1245. convention used by the Expat API; this macro should be used
  1246. to annotate prototypes and definitions of callback
  1247. implementations in code compiled with a calling convention
  1248. other than the default convention for the host platform.
  1249. - Improved ability to build without the configure-generated
  1250. expat_config.h header. This is useful for applications
  1251. which embed Expat rather than linking in the library.
  1252. - Fixed a variety of bugs: see SF issues #458907, #609603,
  1253. #676844, #679754, #692878, #692964, #695401, #699323, #699487,
  1254. #820946.
  1255. - Improved hash table lookups.
  1256. - Added more regression tests and improved documentation.
  1257. Release 1.95.6 Tue Jan 28 2003
  1258. - Added XML_FreeContentModel().
  1259. - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
  1260. - Fixed a variety of bugs: see SF issues #615606, #616863,
  1261. #618199, #653180, #673791.
  1262. - Enhanced the regression test suite.
  1263. - Man page improvements: includes SF issue #632146.
  1264. Release 1.95.5 Fri Sep 6 2002
  1265. - Added XML_UseForeignDTD() for improved SAX2 support.
  1266. - Added XML_GetFeatureList().
  1267. - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
  1268. - Use an incomplete struct instead of a void* for the parser
  1269. (may not retain).
  1270. - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
  1271. - Finally fixed bug where default handler would report DTD
  1272. events that were already handled by another handler.
  1273. Initial patch contributed by Darryl Miles.
  1274. - Removed unnecessary DllMain() function that caused static
  1275. linking into a DLL to be difficult.
  1276. - Added VC++ projects for building static libraries.
  1277. - Reduced line-length for all source code and headers to be
  1278. no longer than 80 characters, to help with AS/400 support.
  1279. - Reduced memory copying during parsing (SF patch #600964).
  1280. - Fixed a variety of bugs: see SF issues #580793, #434664,
  1281. #483514, #580503, #581069, #584041, #584183, #584832, #585537,
  1282. #596555, #596678, #598352, #598944, #599715, #600479, #600971.
  1283. Release 1.95.4 Fri Jul 12 2002
  1284. - Added support for VMS, contributed by Craig Berry. See
  1285. vms/README.vms for more information.
  1286. - Added Mac OS (classic) support, with a makefile for MPW,
  1287. contributed by Thomas Wegner and Daryle Walker.
  1288. - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
  1289. by Patrick McConnell (SF patch #538032).
  1290. - Fixed a variety of bugs: see SF issues #441449, #563184,
  1291. #564342, #566334, #566901, #569461, #570263, #575168, #579196.
  1292. - Made skippedEntityHandler conform to SAX2 (see source comment)
  1293. - Re-implemented WFC: Entity Declared from XML 1.0 spec and
  1294. added a new error "entity declared in parameter entity":
  1295. see SF bug report #569461 and SF patch #578161
  1296. - Re-implemented section 5.1 from XML 1.0 spec:
  1297. see SF bug report #570263 and SF patch #578161
  1298. Release 1.95.3 Mon Jun 3 2002
  1299. - Added a project to the MSVC workspace to create a wchar_t
  1300. version of the library; the DLLs are named libexpatw.dll.
  1301. - Changed the name of the Windows DLLs from expat.dll to
  1302. libexpat.dll; this fixes SF bug #432456.
  1303. - Added the XML_ParserReset() API function.
  1304. - Fixed XML_SetReturnNSTriplet() to work for element names.
  1305. - Made the XML_UNICODE builds usable (thanks, Karl!).
  1306. - Allow xmlwf to read from standard input.
  1307. - Install a man page for xmlwf on Unix systems.
  1308. - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
  1309. #466885, #469226, #477667, #484419, #487840, #494749, #496505,
  1310. #547350. Other bugs which we can't test as easily may also
  1311. have been fixed, especially in the area of build support.
  1312. Release 1.95.2 Fri Jul 27 2001
  1313. - More changes to make MSVC happy with the build; add a single
  1314. workspace to support both the library and xmlwf application.
  1315. - Added a Windows installer for Windows users; includes
  1316. xmlwf.exe.
  1317. - Added compile-time constants that can be used to determine the
  1318. Expat version
  1319. - Removed a lot of GNU-specific dependencies to aide portability
  1320. among the various Unix flavors.
  1321. - Fix the UTF-8 BOM bug.
  1322. - Cleaned up warning messages for several compilers.
  1323. - Added the -Wall, -Wstrict-prototypes options for GCC.
  1324. Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000
  1325. - Changes to get expat to build under Microsoft compiler
  1326. - Removed all aborts and instead return an UNEXPECTED_STATE error.
  1327. - Fixed a bug where a stray '%' in an entity value would cause an
  1328. abort.
  1329. - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
  1330. finding this oversight.
  1331. - Changed default patterns in lib/Makefile.in to fit non-GNU makes
  1332. Thanks to robin@unrated.net for reporting and providing an
  1333. account to test on.
  1334. - The reference had the wrong label for XML_SetStartNamespaceDecl.
  1335. Reported by an anonymous user.
  1336. Release 1.95.0 Fri Sep 29 2000
  1337. - XML_ParserCreate_MM
  1338. Allows you to set a memory management suite to replace the
  1339. standard malloc,realloc, and free.
  1340. - XML_SetReturnNSTriplet
  1341. If you turn this feature on when namespace processing is in
  1342. effect, then qualified, prefixed element and attribute names
  1343. are returned as "uri|name|prefix" where '|' is whatever
  1344. separator character is used in namespace processing.
  1345. - Merged in features from perl-expat
  1346. o XML_SetElementDeclHandler
  1347. o XML_SetAttlistDeclHandler
  1348. o XML_SetXmlDeclHandler
  1349. o XML_SetEntityDeclHandler
  1350. o StartDoctypeDeclHandler takes 3 additional parameters:
  1351. sysid, pubid, has_internal_subset
  1352. o Many paired handler setters (like XML_SetElementHandler)
  1353. now have corresponding individual handler setters
  1354. o XML_GetInputContext for getting the input context of
  1355. the current parse position.
  1356. - Added reference material
  1357. - Packaged into a distribution that builds a sharable library