libexpat/expat/Changes

866 lines
43 KiB
Plaintext
Raw Normal View History

2017-06-16 18:56:27 -04:00
NOTE: We are looking for help with a few things:
https://github.com/libexpat/libexpat/labels/help%20wanted
If you can help, please get in touch. Thanks!
Release x.x.xx xxx xxxxxxx xx xxxx
Bug fixes:
#438 When calling XML_ParseBuffer without a prior successful call to
2021-03-19 16:48:19 -04:00
XML_GetBuffer as a user, no longer trigger undefined behavior
(by adding an integer to a NULL pointer) but rather return
XML_STATUS_ERROR and set the error code to (new) code
XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
of Clang 11 (but not Clang 9).
#444 xmlwf: Exit status 2 was used for both:
2021-03-22 19:54:06 -04:00
- malformed input files (documented) and
- invalid command-line arguments (undocumented).
The case of invalid command-line arguments now
has its own exit status 4, resolving the ambiguity.
Other changes:
2021-03-17 16:34:03 -04:00
#439 xmlwf: Add argument -k to allow continuing after
non-fatal errors
#439 xmlwf: Add section about exit status to the -h help output
#422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015
#434 Windows: CMake: Detect unsupported Visual Studio at
configure time (rather than at compile time)
2020-10-30 05:10:53 -04:00
#382 #428 testrunner: Make verbose mode (argument "-v") report
about passed tests, and make default mode report about
failures, as well.
2021-03-16 13:15:24 -04:00
#442 CMake: Call "enable_language(CXX)" prior to tinkering
with CMAKE_CXX_* variables
2021-03-22 11:20:26 -04:00
#451 Autotools: Install CMake files as generated by CMake 3.19.6
so that users with "find_package(expat [..] CONFIG [..])"
are served on distributions that are *not* using the CMake
build system inside for libexpat packaging
#436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC
#450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
#441 Address compiler warnings
#443 Version info bumped from 7:12:6 to 8:0:7
due to addition of error code XML_ERROR_NO_BUFFER
(see https://verbump.de/ for what these numbers do)
2020-10-30 05:10:53 -04:00
Infrastructure:
#435 #446 Replace Travis CI by GitHub Actions
2020-10-30 05:10:53 -04:00
Special thanks to:
2021-03-16 13:15:24 -04:00
Alexander Richardson
2020-10-30 05:10:53 -04:00
Oleksandr Popovych
Thomas Beutlich
2021-03-17 16:34:03 -04:00
Tim Bray
and
2021-03-17 16:34:03 -04:00
Clang LeakSan, Clang 11 UBSan and the Clang team
2020-10-30 05:10:53 -04:00
2020-10-02 18:32:57 -04:00
Release 2.2.10 Sat October 3 2020
Bug fixes:
2020-04-20 09:20:01 -04:00
#390 #395 #398 Fix undefined behavior during parsing caused by
pointer arithmetic with NULL pointers
#404 #405 Fix reading uninitialized variable during parsing
2020-06-22 13:58:33 -04:00
#406 xmlwf: Add missing check for malloc NULL return
2019-10-01 15:46:14 -04:00
Other changes:
#396 Windows: Drop support for Visual Studio <=8.0/2005
#409 Windows: Add missing file "Changes" to the installer
to fix compilation with CMake from installed sources
2020-05-13 08:40:29 -04:00
#403 xmlwf: Document exit codes in xmlwf manpage and
exit with code 3 (rather than code 1) for output errors
when used with "-d DIRECTORY"
#356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0
#383 #392 Autotools: Use -Werror while configure tests the compiler
for supported compile flags to avoid false positives
#383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS,
e.g. ensure that they have the last word over flags added
while running ./configure
#360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
#360 CMake: Detect and deny unsupported build combinations
involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
#360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case
of -DEXPAT_BUILD_DOCS=OFF
2020-09-26 08:52:44 -04:00
#375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory
2020-07-15 11:36:31 -04:00
#407 #408 CMake: Keep expat target name constant at "expat"
(i.e. refrain from using the target name to control
build artifact filenames)
2020-03-10 20:52:29 -04:00
#385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
Windows
CMake: Expose man page compilation as target "xmlwf-manpage"
#413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG
to control generation of pkg-config file "expat.pc"
2020-10-01 15:28:06 -04:00
#424 CMake: Add minimalistic support for building binary packages
with CMake target "package"; based on CPack
#366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
default OFF to build fuzzer code against OSS-Fuzz and
related environment variable LIB_FUZZING_ENGINE
2019-10-01 15:46:14 -04:00
#354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
#354 #355 ..
#356 #412 Address compiler warnings
#368 #369 Address pngcheck warnings with doc/*.png images
#425 Version info bumped from 7:11:6 to 7:12:6
Special thanks to:
2019-10-16 09:23:14 -04:00
asavah
2020-04-20 09:20:01 -04:00
Ben Wagner
Bhargava Shastry
2020-09-26 08:52:44 -04:00
Frank Landgraf
Jeffrey Walton
2020-05-13 08:40:29 -04:00
Joe Orton
2020-06-22 13:58:33 -04:00
Kleber Tarcísio
Ma Lin
2020-02-10 10:04:00 -05:00
Maciej Sroczyński
2019-10-16 09:23:14 -04:00
Mohammed Khajapasha
2019-10-12 17:20:52 -04:00
Vadim Zeitlin
and
Cppcheck 2.0 and the Cppcheck team
2019-10-01 15:46:14 -04:00
2019-09-28 09:16:09 -04:00
Release 2.2.9 Wed September 25 2019
2019-09-16 14:53:23 -04:00
Other changes:
examples: Drop executable bits from elements.c
#349 Windows: Change the name of the Windows DLLs from expat*.dll
to libexpat*.dll once more (regression from 2.2.8, first
fixed in 1.95.3, issue #61 on SourceForge today,
was issue #432456 back then); needs a fix due
case-insensitive file systems on Windows and the fact that
Perl's XML::Parser::Expat compiles into Expat.dll.
2019-09-25 15:18:59 -04:00
#347 Windows: Only define _CRT_RAND_S if not defined
Version info bumped from 7:10:6 to 7:11:6
2019-09-25 15:18:59 -04:00
Special thanks to:
Ben Wagner
2019-09-16 14:53:23 -04:00
2019-09-28 09:16:09 -04:00
Release 2.2.8 Fri September 13 2019
Security fixes:
#317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
and deny internal entities closing the doctype;
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
2019-07-31 14:50:32 -04:00
Bug fixes:
#240 Fix cases where XML_StopParser did not have any effect
when called from inside of an end element handler
#341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
previously, only "-d DIRECTORY" would give you a proper
exit code:
# xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
2
# xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
0
Now both cases return exit code 2.
2019-07-31 14:50:32 -04:00
2019-06-20 15:59:28 -04:00
Other changes:
#299 #302 Windows: Replace LoadLibrary hack to access
unofficial API function SystemFunction036 (RtlGenRandom)
by using official API function rand_s (needs WinXP+)
#325 Windows: Drop support for Visual Studio <=7.1/2003
and document supported compilers in README.md
2019-07-29 15:59:44 -04:00
#286 Windows: Remove COM code from xmlwf; in case it turns
out needed later, there will be a dedicated repository
below https://github.com/libexpat/ for that code
2019-08-29 08:14:33 -04:00
#322 Windows: Remove explicit MSVC solution and project files.
You can generate Visual Studio solution files through
CMake, e.g.: cmake -G"Visual Studio 15 2017" .
#338 xmlwf: Make "xmlwf -h" help output more friendly
#339 examples: Improve elements.c
2019-07-03 16:58:49 -04:00
#244 #264 Autotools: Add argument --enable-xml-attr-info
2019-08-10 14:30:27 -04:00
#239 #301 Autotools: Add arguments
--with-getrandom
--without-getrandom
--with-sys-getrandom
--without-sys-getrandom
2019-09-13 15:17:02 -04:00
#312 #343 Autotools: Fix linking issues with "./configure LD=clang"
Autotools: Fix "make run-xmltest" for out-of-source builds
2019-09-05 15:58:50 -04:00
#329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace
prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
- BUILD_doc -> EXPAT_BUILD_DOCS (plural)
- BUILD_examples -> EXPAT_BUILD_EXAMPLES
- BUILD_shared -> EXPAT_SHARED_LIBS
- BUILD_tests -> EXPAT_BUILD_TESTS
- BUILD_tools -> EXPAT_BUILD_TOOLS
- DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
- INSTALL -> EXPAT_ENABLE_INSTALL
- MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
- USE_libbsd -> EXPAT_WITH_LIBBSD
- WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
- XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
- XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
- XML_DTD -> EXPAT_DTD
- XML_NS -> EXPAT_NS
- XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
- XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
2019-08-30 16:06:10 -04:00
#244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
default OFF
#326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
default OFF
2019-08-30 16:17:59 -04:00
#328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
2019-08-30 16:06:10 -04:00
default OFF
#239 #277 CMake: Add arguments
-DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
-DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
2019-08-29 19:44:29 -04:00
#326 CMake: Install expat_config.h to include directory
#326 CMake: Generate and install configuration files for
future find_package(expat [..] CONFIG [..])
2019-08-11 17:28:39 -04:00
CMake: Now produces a summary of applied configuration
CMake: Require C++ compiler only when tests are enabled
#330 CMake: Fix compilation for 16bit character types,
i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
#265 CMake: Fix linking with MinGW
2019-09-01 16:49:54 -04:00
#330 CMake: Add full support for MinGW; to enable, use
-DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
#330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
#316 CMake: Windows: Make binary postfix match MSVC
Old: expat[d].lib
New: expat[w][d][MD|MT].lib
CMake: Migrate files from Windows to Unix line endings
#308 CMake: Integrate OSS-Fuzz fuzzers, option
-DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
#14 Drop an OpenVMS support leftover
2019-08-17 12:01:37 -04:00
#235 #268 ..
2019-09-01 15:10:09 -04:00
#270 #310 ..
#313 #331 #333 Address compiler warnings
2019-07-27 19:59:06 -04:00
#282 #283 ..
#284 #285 Address cppcheck warnings
#294 #295 Address Clang Static Analyzer warnings
#24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
2019-09-13 15:44:39 -04:00
Version info bumped from 7:9:6 to 7:10:6
2019-06-20 15:59:28 -04:00
Special thanks to:
2019-08-07 13:48:55 -04:00
David Loffredo
Joonun Jang
2019-07-09 17:18:21 -04:00
Kishore Kunche
2019-07-27 19:59:06 -04:00
Marco Maggi
2019-08-28 08:12:56 -04:00
Mitch Phillips
2019-10-16 09:24:05 -04:00
Mohammed Khajapasha
Rolf Ade
2019-06-20 15:59:28 -04:00
xantares
2019-09-05 10:34:20 -04:00
Zhongyuan Zhou
2019-06-20 15:59:28 -04:00
2019-06-19 12:33:02 -04:00
Release 2.2.7 Wed June 19 2019
2019-06-16 17:37:23 -04:00
Security fixes:
#186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from
XML names; XML names with multiple colons could end up in
the wrong namespace, and take a high amount of RAM and CPU
2019-06-16 17:37:23 -04:00
resources while processing, opening the door to
use for denial-of-service attacks
2018-08-22 04:14:03 -04:00
Other changes:
#195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop
exporting non-API symbols
2018-10-21 08:59:10 -04:00
#227 Autotools: Add --without-examples and --without-tests
2018-10-21 08:17:33 -04:00
#228 Autotools: Modernize configure.ac
2019-01-26 12:55:51 -05:00
#245 #246 Autotools: Fix check for -fvisibility=hidden for Clang
#247 #248 Autotools: Fix compilation for lack of docbook2x-man
#236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives
#212 CMake: Make libdir of pkgconfig expat.pc support multilib
#158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
#219 Remove fallback to bcopy, assume that memmove(3) exists
2019-05-18 08:11:14 -04:00
#257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD)
#243 Windows: Fix syntax of .def module definition files
2019-06-19 12:28:50 -04:00
Version info bumped from 7:8:6 to 7:9:6
2018-08-22 04:14:03 -04:00
Special thanks to:
Benjamin Peterson
2019-06-16 17:37:23 -04:00
Caolán McNamara
Hanno Böck
KangLin
2019-06-19 09:52:05 -04:00
Kishore Kunche
2018-10-21 08:17:33 -04:00
Marco Maggi
2019-06-16 17:37:23 -04:00
Rhodri James
2019-01-10 19:32:25 -05:00
Sebastian Dröge
userwithuid
Yury Gribov
2018-08-22 04:14:03 -04:00
2018-08-12 15:04:35 -04:00
Release 2.2.6 Sun August 12 2018
Bug fixes:
2018-08-06 13:58:01 -04:00
#170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer
#204 #205 Fix 2.2.5 regression with suspend-resume while parsing
a document like '<root/>'
Other changes:
#165 #168 Autotools: Fix docbook-related configure syntax error
#166 Autotools: Avoid grep option `-q` for Solaris
2017-11-02 17:16:37 -04:00
#167 Autotools: Support
./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
#159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces
xmlwf.1 rather than XMLWF.1; also covers case insensitive
file systems
2018-01-07 17:20:11 -05:00
#181 Autotools: Drop -rpath option passed to libtool
#188 Autotools: Detect and deny SGML docbook2man as ours is XML
#188 Autotools/CMake: Support command db2x_docbook2man as well
#174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
2018-01-07 18:55:16 -05:00
#184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
#207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
both defaulting to OFF
#175 CMake: Prefer check_symbol_exists over check_function_exists
2017-12-13 13:49:54 -05:00
#176 CMake: Create the same pkg-config file as with GNU Autotools
#178 #179 CMake: Use GNUInstallDirs module to set proper defaults for
install directories
#208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
#180 Windows: Fix compilation of test suite for Visual Studio 2008
2018-07-08 13:31:01 -04:00
#131 #173 #202 Address compiler warnings
2018-06-30 16:24:18 -04:00
#187 #190 #200 Fix miscellaneous typos
Version info bumped from 7:7:6 to 7:8:6
Special thanks to:
2018-07-08 13:31:01 -04:00
Anton Maklakov
2018-06-30 16:24:18 -04:00
Benjamin Peterson
Brad King
Franek Korta
Frank Rast
2017-11-02 17:16:37 -04:00
Joe Orton
luzpaz
2018-01-07 18:55:16 -05:00
Pedro Vicente
Rainer Jung
Rhodri James
2018-02-01 15:19:44 -05:00
Rolf Ade
2017-12-13 13:49:54 -05:00
Rolf Eike Beer
2018-08-06 13:58:01 -04:00
Thomas Beutlich
2018-01-07 17:20:11 -05:00
Tomasz Kłoczko
2017-10-31 10:54:52 -04:00
Release 2.2.5 Tue October 31 2017
2017-08-22 18:21:29 -04:00
Bug fixes:
#8 If the parser runs out of memory, make sure its internal
state reflects the memory it actually has, not the memory
it wanted to have.
2017-08-22 18:37:08 -04:00
#11 The default handler wasn't being called when it should for
a SYSTEM or PUBLIC doctype if an entity declaration handler
was registered.
2017-09-02 16:27:51 -04:00
#137 #138 Fix a case of mistakenly reported parsing success where
XML_StopParser was called from an element handler
#162 Function XML_ErrorString was returning NULL rather than
a message for code XML_ERROR_INVALID_ARGUMENT
introduced with release 2.2.1
2017-08-22 18:21:29 -04:00
2017-08-22 17:00:04 -04:00
Other changes:
#106 xmlwf: Add argument -N adding notation declarations
#75 #106 Test suite: Resolve expected failure cases where xmlwf
output was incomplete
2017-08-23 10:06:46 -04:00
#127 Windows: Fix test suite compilation
#126 #127 Windows: Fix compilation for Visual Studio 2012
Windows: Upgrade shipped project files to Visual Studio 2017
2017-08-29 17:32:43 -04:00
#33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
2017-08-26 11:02:30 -04:00
#129 examples: Fix compilation for XML_UNICODE_WCHAR_T
2017-08-26 11:19:12 -04:00
#130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T
2017-09-09 12:58:41 -04:00
#144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs
Windows or MinGW for 2-byte wchar_t
#9 Address two Clang Static Analyzer false positives
2017-09-02 20:12:04 -04:00
#59 Resolve troublesome macros hiding parser struct membership
and dereferencing that pointer
#6 Resolve superfluous internal malloc/realloc switch
2017-10-21 13:55:32 -04:00
#153 #155 Improve docbook2x-man detection
#160 Undefine NDEBUG in the test suite (rather than rejecting it)
#161 Address compiler warnings
Version info bumped from 7:6:6 to 7:7:6
2017-08-22 17:00:04 -04:00
Special thanks to:
2017-08-23 10:06:46 -04:00
Benbuck Nason
Hans Wennborg
2017-08-23 16:10:03 -04:00
José Gutiérrez de la Concha
Pedro Monreal Gonzalez
2017-08-22 17:00:04 -04:00
Rhodri James
2017-09-02 16:27:51 -04:00
Rolf Ade
2017-10-21 13:55:32 -04:00
Stephen Groat
2017-08-22 17:00:04 -04:00
and
Core Infrastructure Initiative
2017-08-23 12:06:46 -04:00
Release 2.2.4 Sat August 19 2017
Bug fixes:
#115 Fix copying of partial characters for UTF-8 input
Other changes:
#109 Fix "make check" for non-x86 architectures that default
to unsigned type char (-128..127 rather than 0..255)
#109 coverage.sh: Cover -funsigned-char
2017-08-11 16:22:59 -04:00
Autotools: Introduce --without-xmlwf argument
#65 Autotools: Replace handwritten Makefile with GNU Automake
2017-08-06 12:06:24 -04:00
#43 CMake: Auto-detect high quality entropy extractors, add new
option USE_libbsd=ON to use arc4random_buf of libbsd
#74 CMake: Add -fno-strict-aliasing only where supported
2017-08-07 14:52:28 -04:00
#114 CMake: Always honor manually set BUILD_* options
#114 CMake: Compile man page if docbook2x-man is available, only
#117 Include file tests/xmltest.log.expected in source tarball
(required for "make run-xmltest")
#117 Include (existing) Visual Studio 2013 files in source tarball
Improve test suite error output
2017-08-04 15:31:12 -04:00
#111 Fix some typos in documentation
Version info bumped from 7:5:6 to 7:6:6
Special thanks to:
2017-08-04 15:31:12 -04:00
Jakub Wilk
Joe Orton
Lin Tian
Rolf Eike Beer
2017-08-02 09:16:36 -04:00
Release 2.2.3 Wed August 2 2017
Security fixes:
2017-07-30 09:53:42 -04:00
#82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
using Steve Holme's LoadLibrary wrapper for/of cURL
2017-07-20 16:17:52 -04:00
Bug fixes:
#85 Fix a dangling pointer issue related to realloc
Other changes:
Increase code coverage
#91 Linux: Allow getrandom to fail if nonblocking pool has not
yet been initialized and read /dev/urandom then, instead.
This is in line with what recent Python does.
#81 Pre-10.7/Lion macOS: Support entropy from arc4random
#86 Check that a UTF-16 encoding in an XML declaration has the
right endianness
#4 #5 #7 Recover correctly when some reallocations fail
Repair "./configure && make" for systems without any
provider of high quality entropy
and try reading /dev/urandom on those
Ensure that user-defined character encodings have converter
functions when they are needed
Fix mis-leading description of argument -c in xmlwf.1
Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
for CloudABI
#100 Fix use of SIPHASH_MAIN in siphash.h
#23 Test suite: Fix memory leaks
Version info bumped from 7:4:6 to 7:5:6
Special thanks to:
Chanho Park
Joe Orton
2017-07-20 16:17:52 -04:00
Pascal Cuoq
Rhodri James
Simon McVittie
Vadim Zeitlin
Viktor Szakats
and
Core Infrastructure Initiative
2017-07-12 12:58:20 -04:00
Release 2.2.2 Wed July 12 2017
Security fixes:
2017-07-12 16:51:25 -04:00
#43 Protect against compilation without any source of high
quality entropy enabled, e.g. with CMake build system;
commit ff0207e6076e9828e536b8d9cd45c9c92069b895
#60 Windows with _UNICODE:
Unintended use of LoadLibraryW with a non-wide string
resulted in failure to load advapi32.dll and degradation
in quality of used entropy when compiled with _UNICODE for
Windows; you can launch existing binaries with
EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
quality of entropy used during runtime; commits
* 95b95032f907ef1cd17ee7a9a1768010a825d61d
* 73a5a2e9c081f49f2d775cf7ced864158b68dc80
[MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
2017-07-12 16:51:25 -04:00
resulted in NULL dereference, previously;
commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
Bug fixes:
#69 Fix improper use of unsigned long long integer literals
2017-06-18 15:50:50 -04:00
Other changes:
#73 Start requiring a C99 compiler
2017-06-18 15:50:50 -04:00
#49 Fix "==" Bashism in configure script
#50 Fix too eager getrandom detection for Debian GNU/kFreeBSD
#52 and macOS
#51 Address lack of stdint.h in Visual Studio 2003 to 2008
#58 Address compile warnings
#68 Fix "./buildconf.sh && ./configure" for some versions
of Dash for /bin/sh
2017-07-09 16:39:49 -04:00
#72 CMake: Ease use of Expat in context of a parent project
2017-08-03 16:50:03 -04:00
with multiple CMakeLists.txt files
2017-07-09 16:39:49 -04:00
#72 CMake: Resolve mistaken executable permissions
#76 Address compile warning with -DNDEBUG (not recommended!)
#77 Address compile warning about macro redefinition
2017-06-18 15:50:50 -04:00
Special thanks to:
Alexander Bluhm
2017-07-09 16:39:49 -04:00
Ben Boeckel
Cătălin Răceanu
Kerin Millar
2017-06-18 15:50:50 -04:00
László Böszörményi
S. P. Zeidler
Segev Finer
2017-06-25 11:53:25 -04:00
Václav Slavík
Victor Stinner
Viktor Szakats
and
Radically Open Security
2017-06-18 15:50:50 -04:00
Release 2.2.1 Sat June 17 2017
2017-05-01 09:53:47 -04:00
Security fixes:
CVE-2017-9233 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
[MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
d4f735b88d9932bd5039df2335eefdd0723dbe20
(Fixed version of existing downstream patches!)
(SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names; commits
* 896b6c1fd3b842f377d1b62135dccf0a579cf65d
* af507cef2c93cb8d40062a0abe43a4f4e9158fb2
#16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
#25 More integer overflow detection (function poolGrow); commits
* 810b74e4703dcfdd8f404e3cb177d44684775143
* 44178553f3539ce69d34abee77a05e879a7982ac
[MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
* 4be2cb5afcc018d996f34bbbce6374b7befad47f
* 7e5b71b748491b6e459e5c9a1d090820f94544d8
[MOX-005] #30 Use high quality entropy for hash initialization:
* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI
* RtlGenRandom on Windows XP / Server 2003 and later
* getrandom on Linux 3.17+
In a way, that's still part of CVE-2016-5300.
https://github.com/libexpat/libexpat/pull/30/commits
[MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak, commit
04ad658bd3079dd15cb60fc67087900f0ff4b083
[MOX-003] Prevent use of uninitialised variable; commit
[MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
[MOX-006] * NULL checks; commits
2017-06-07 17:28:13 -04:00
* d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
* 9ed727064b675b7180c98cb3d4f75efba6966681
* 6a747c837c50114dfa413994e07c0ba477be4534
* Negative length (XML_Parse); commit
[MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
[MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
2017-06-16 19:10:11 -04:00
to go further with fixing CVE-2012-0876.
2017-06-17 11:44:32 -04:00
https://github.com/libexpat/libexpat/pull/39/commits
Bug fixes:
2017-06-07 17:28:13 -04:00
#32 Fix sharing of hash salt across parsers;
relevant where XML_ExternalEntityParserCreate is called
prior to XML_Parse, in particular (e.g. FBReader)
#28 xmlwf: Auto-disable use of memory-mapping (and parsing
as a single chunk) for files larger than ~1 GB (2^30 bytes)
rather than failing with error "out of memory"
#3 Fix double free after malloc failure in DTD code; commit
7ae9c3d3af433cd4defe95234eae7dc8ed15637f
2017-04-26 13:05:08 -04:00
#17 Fix memory leak on parser error for unbound XML attribute
prefix with new namespaces defined in the same tag;
found by Google's OSS-Fuzz; commits
* 16f87daae5a16132e479e4f71862128c7a915c73
* b47dbc9745932c160893d433220e462bd605f8cd
2017-06-07 17:28:13 -04:00
xmlwf on Windows: Add missing calls to CloseHandle
New features:
#30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
for runtime debugging of entropy extraction
2016-07-30 10:54:50 -04:00
Other changes:
2017-06-07 17:28:13 -04:00
Increase code coverage
#33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
XML_UNICODE_WCHAR_T was never meant to be used outside
of Windows; 4-byte wchar_t is common on Linux
(SF.net) #538 Start using -fno-strict-aliasing
(SF.net) #540 Support compilation against cloudlibc of CloudABI
2017-06-07 17:28:13 -04:00
Allow MinGW cross-compilation
(SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default)
2016-08-15 12:48:14 -04:00
to bypass compilation of the xmlwf.1 man page
(SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default)
2016-11-20 12:12:35 -05:00
to bypass installation of expat files
2017-06-07 17:28:13 -04:00
CMake: Fix ninja support
Autotools: Add parameters --enable-xml-context [COUNT]
and --disable-xml-context; default of context of 1024
bytes enabled unchanged
2017-06-07 17:28:13 -04:00
#14 Drop AmigaOS 4.x code and includes
#14 Drop ancient build systems:
* Borland C++ Builder
* OpenVMS
* Open Watcom
* Visual Studio 6.0
* Pre-X Mac OS (MPW Makefile)
If you happen to rely on some of these, please get in
touch for joining with maintenance.
#10 Move from WIN32 to _WIN32
2017-06-07 17:28:13 -04:00
#13 Fix "make run-xmltest" order instability
Address compile warnings
2017-06-14 07:53:40 -04:00
Bump version info from 7:2:6 to 7:3:6
Add AUTHORS file
2017-06-07 17:28:13 -04:00
Infrastructure:
#1 Migrate from SourceForge to GitHub (except downloads):
https://github.com/libexpat/
#1 Re-create http://libexpat.org/ project website
Start utilizing Travis CI
2016-07-30 10:54:50 -04:00
Special thanks to:
Andy Wang
2016-08-12 17:43:56 -04:00
Don Lewis
2016-07-30 10:54:50 -04:00
Ed Schouten
Karl Waclawek
Pascal Cuoq
Rhodri James
2016-08-15 12:48:14 -04:00
Sergei Nikulov
2016-11-20 12:16:27 -05:00
Tobias Taschner
Viktor Szakats
2017-06-07 17:28:13 -04:00
and
Core Infrastructure Initiative
Mozilla Foundation (MOSS Track 3: Secure Open Source)
Radically Open Security
2016-06-21 08:58:38 -04:00
Release 2.2.0 Tue June 21 2016
2016-03-28 16:23:43 -04:00
Security fixes:
2016-06-17 17:39:29 -04:00
#537 CVE-2016-0718 -- Fix crash on malformed input
CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
CVE-2015-2716 introduced with Expat 2.1.1
#499 CVE-2016-5300 -- Use more entropy for hash initialization
than the original fix to CVE-2012-0876
#519 CVE-2012-6702 -- Resolve troublesome internal call to srand
that was introduced with Expat 2.1.0
when addressing CVE-2012-0876 (issue #496)
Bug fixes:
Fix uninitialized reads of size 1
(e.g. in little2_updatePosition)
Fix detection of UTF-8 character boundaries
2016-03-28 16:23:43 -04:00
Other changes:
#532 Fix compilation for Visual Studio 2010 (keyword "C99")
Autotools: Resolve use of "$<" to better support bmake
Autotools: Add QA script "qa.sh" (and make target "qa")
Autotools: Respect CXXFLAGS if given
Autotools: Fix "make run-xmltest"
Autotools: Have "make run-xmltest" check for expected output
p90 CMake: Fix static build (BUILD_shared=OFF) on Windows
#536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
#323 CMake: Add suffix "d" to differentiate debug from release
CMake: Define WIN32 with CMake on Windows
Annotate memory allocators for GCC
Address all currently known compile warnings
Make sure that API symbols remain visible despite
-fvisibility=hidden
Remove executable flag from source files
Resolve COMPILED_FROM_DSP in favor of WIN32
Special thanks to:
Björn Lindahl
Christian Heimes
Cristian Rodríguez
Daniel Krügler
Gustavo Grieco
Karl Waclawek
2016-06-04 16:09:37 -04:00
László Böszörményi
Marco Grassi
Pascal Cuoq
Sergei Nikulov
Thomas Beutlich
Warren Young
Yann Droneaud
2016-03-28 16:23:43 -04:00
2016-03-11 22:21:09 -05:00
Release 2.1.1 Sat March 12 2016
2016-03-02 12:44:13 -05:00
Security fixes:
#582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
Bug fixes:
2016-03-11 20:57:41 -05:00
#502: Fix potential null pointer dereference
2016-03-02 12:44:13 -05:00
#520: Symbol XML_SetHashSalt was not exported
Output of "xmlwf -h" was incomplete
2016-03-28 16:23:43 -04:00
Other changes:
2016-03-02 12:44:13 -05:00
#503: Document behavior of calling XML_SetHashSalt with salt 0
Minor improvements to man page xmlwf(1)
Improvements to the experimental CMake build system
libtool now invoked with --verbose
2012-03-24 15:06:25 -04:00
Release 2.1.0 Sat March 24 2012
- Security fixes:
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
#3496608: CVE-2012-0876 - Hash DOS attack.
#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
#1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
2012-03-24 15:06:25 -04:00
- Bug Fixes:
#1742315: Harmful XML_ParserCreateNS suggestion.
#1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
#1983953, 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of buildconf.sh.
#2815947, #2884086: OBJEXT and EXEEXT support while building.
#2517938: xmlwf should return non-zero exit status if not well-formed.
#2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
#2855609: Dangling positionPtr after error.
#2990652: CMake support.
#3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
2017-08-03 16:50:03 -04:00
#3206497: Uninitialized memory returned from XML_Parse.
2012-03-24 15:06:25 -04:00
#3287849: make check fails on mingw-w64.
- Patches:
#1749198: pkg-config support.
#3010222: Fix for bug #3010819.
#3312568: CMake support.
#3446384: Report byte offsets for attr names and values.
- New Features / API changes:
2012-04-14 15:51:29 -04:00
Added new API member XML_SetHashSalt() that allows setting an initial
2012-03-24 15:06:25 -04:00
value (salt) for hash calculations. This is part of the fix for
bug #3496608 to randomize hash parameters.
When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).
Added CMake build system.
See bug #2990652 and patch #3312568.
Added run-benchmark target to Makefile.in - relies on testdata module
present in the same relative location as in the repository.
2007-06-05 11:06:01 -04:00
Release 2.0.1 Tue June 5 2007
- Fixed bugs #1515266, #1515600: The character data handler's calling
of XML_StopParser() was not handled properly; if the parser was
2006-11-26 22:05:20 -05:00
stopped and the handler set to NULL, the parser would segfault.
- Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
some character constants to be ASCII encoded.
- Minor cleanups of the test harness.
2006-11-26 22:05:20 -05:00
- Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
- Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
2006-11-26 21:51:58 -05:00
- Fixes and improvements for Windows platform:
bugs #1409451, #1476160, #1548182, #1602769, #1717322.
2006-11-26 21:51:58 -05:00
- Build fixes for various platforms:
HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
All Unix: #1554618 (refreshed config.sub/config.guess).
#1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
without relying on GNU-Make specific features.
#1647805: Patched configure.in to work better with Intel compiler.
2006-11-26 22:05:20 -05:00
- Fixes to Makefile.in to have make check work correctly:
2006-11-26 21:51:58 -05:00
bugs #1408143, #1535603, #1536684.
2007-06-05 11:06:01 -04:00
- Added Open Watcom support: patch #1523242.
2006-01-09 20:24:20 -05:00
Release 2.0.0 Wed Jan 11 2006
- We no longer use the "check" library for C unit testing; we
always use the (partial) internal implementation of the API.
- Report XML_NS setting via XML_GetFeatureList().
2005-01-29 00:11:13 -05:00
- Fixed headers for use from C++.
2006-01-10 20:01:23 -05:00
- XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
now return unsigned integers.
- Added XML_LARGE_SIZE switch to enable 64-bit integers for
byte indexes and line/column numbers.
2006-01-05 22:59:05 -05:00
- Updated to use libtool 1.5.22 (the most recent).
2005-11-27 16:50:47 -05:00
- Added support for AmigaOS.
- Some mostly minor bug fixes. SF issues include: #1006708,
#1021776, #1023646, #1114960, #1156398, #1221160, #1271642.
2004-07-23 00:48:36 -04:00
Release 1.95.8 Fri Jul 23 2004
- Major new feature: suspend/resume. Handlers can now request
that a parse be suspended for later resumption or aborted
altogether. See "Temporarily Stopping Parsing" in the
documentation for more details.
- Some mostly minor bug fixes, but compilation should no
longer generate warnings on most platforms. SF issues
include: #827319, #840173, #846309, #888329, #896188, #923913,
#928113, #961698, #985192.
2004-07-23 00:48:36 -04:00
2003-10-20 17:11:27 -04:00
Release 1.95.7 Mon Oct 20 2003
- Fixed enum XML_Status issue (reported on SourceForge many
times), so compilers that are properly picky will be happy.
- Introduced an XMLCALL macro to control the calling
convention used by the Expat API; this macro should be used
to annotate prototypes and definitions of callback
implementations in code compiled with a calling convention
other than the default convention for the host platform.
2003-10-16 01:05:16 -04:00
- Improved ability to build without the configure-generated
expat_config.h header. This is useful for applications
which embed Expat rather than linking in the library.
- Fixed a variety of bugs: see SF issues #458907, #609603,
#676844, #679754, #692878, #692964, #695401, #699323, #699487,
#820946.
2003-10-09 08:18:41 -04:00
- Improved hash table lookups.
- Added more regression tests and improved documentation.
2003-01-28 00:54:33 -05:00
Release 1.95.6 Tue Jan 28 2003
2003-01-16 18:24:38 -05:00
- Added XML_FreeContentModel().
- Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
- Fixed a variety of bugs: see SF issues #615606, #616863,
#618199, #653180, #673791.
2003-01-16 18:24:38 -05:00
- Enhanced the regression test suite.
- Man page improvements: includes SF issue #632146.
2002-10-07 16:25:24 -04:00
Release 1.95.5 Fri Sep 6 2002
2002-08-29 12:48:01 -04:00
- Added XML_UseForeignDTD() for improved SAX2 support.
- Added XML_GetFeatureList().
- Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
- Use an incomplete struct instead of a void* for the parser
(may not retain).
- Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
2002-08-29 14:06:31 -04:00
- Finally fixed bug where default handler would report DTD
events that were already handled by another handler.
2002-09-19 16:19:51 -04:00
Initial patch contributed by Darryl Miles.
2002-08-29 12:48:01 -04:00
- Removed unnecessary DllMain() function that caused static
linking into a DLL to be difficult.
- Added VC++ projects for building static libraries.
- Reduced line-length for all source code and headers to be
no longer than 80 characters, to help with AS/400 support.
- Reduced memory copying during parsing (SF patch #600964).
- Fixed a variety of bugs: see SF issues #580793, #434664,
#483514, #580503, #581069, #584041, #584183, #584832, #585537,
#596555, #596678, #598352, #598944, #599715, #600479, #600971.
2002-08-27 12:14:35 -04:00
Release 1.95.4 Fri Jul 12 2002
2002-08-29 12:48:01 -04:00
- Added support for VMS, contributed by Craig Berry. See
vms/README.vms for more information.
- Added Mac OS (classic) support, with a makefile for MPW,
contributed by Thomas Wegner and Daryle Walker.
- Added Borland C++ Builder 5 / BCC 5.5 support, contributed
by Patrick McConnell (SF patch #538032).
- Fixed a variety of bugs: see SF issues #441449, #563184,
#564342, #566334, #566901, #569461, #570263, #575168, #579196.
2002-08-29 12:48:01 -04:00
- Made skippedEntityHandler conform to SAX2 (see source comment)
- Re-implemented WFC: Entity Declared from XML 1.0 spec and
added a new error "entity declared in parameter entity":
see SF bug report #569461 and SF patch #578161
2002-08-29 12:48:01 -04:00
- Re-implemented section 5.1 from XML 1.0 spec:
see SF bug report #570263 and SF patch #578161
Release 1.95.3 Mon Jun 3 2002
2002-08-29 12:48:01 -04:00
- Added a project to the MSVC workspace to create a wchar_t
version of the library; the DLLs are named libexpatw.dll.
- Changed the name of the Windows DLLs from expat.dll to
libexpat.dll; this fixes SF bug #432456.
- Added the XML_ParserReset() API function.
- Fixed XML_SetReturnNSTriplet() to work for element names.
- Made the XML_UNICODE builds usable (thanks, Karl!).
- Allow xmlwf to read from standard input.
- Install a man page for xmlwf on Unix systems.
- Fixed many bugs; see SF bug reports #231864, #461380, #464837,
#466885, #469226, #477667, #484419, #487840, #494749, #496505,
#547350. Other bugs which we can't test as easily may also
2002-08-29 12:48:01 -04:00
have been fixed, especially in the area of build support.
Release 1.95.2 Fri Jul 27 2001
2002-08-29 12:48:01 -04:00
- More changes to make MSVC happy with the build; add a single
workspace to support both the library and xmlwf application.
- Added a Windows installer for Windows users; includes
xmlwf.exe.
- Added compile-time constants that can be used to determine the
Expat version
- Removed a lot of GNU-specific dependencies to aide portability
among the various Unix flavors.
- Fix the UTF-8 BOM bug.
- Cleaned up warning messages for several compilers.
- Added the -Wall, -Wstrict-prototypes options for GCC.
Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000
2002-08-29 12:48:01 -04:00
- Changes to get expat to build under Microsoft compiler
- Removed all aborts and instead return an UNEXPECTED_STATE error.
- Fixed a bug where a stray '%' in an entity value would cause an
abort.
- Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
finding this oversight.
- Changed default patterns in lib/Makefile.in to fit non-GNU makes
Thanks to robin@unrated.net for reporting and providing an
account to test on.
- The reference had the wrong label for XML_SetStartNamespaceDecl.
Reported by an anonymous user.
Release 1.95.0 Fri Sep 29 2000
2002-08-29 12:48:01 -04:00
- XML_ParserCreate_MM
Allows you to set a memory management suite to replace the
standard malloc,realloc, and free.
- XML_SetReturnNSTriplet
If you turn this feature on when namespace processing is in
effect, then qualified, prefixed element and attribute names
are returned as "uri|name|prefix" where '|' is whatever
separator character is used in namespace processing.
- Merged in features from perl-expat
o XML_SetElementDeclHandler
o XML_SetAttlistDeclHandler
o XML_SetXmlDeclHandler
o XML_SetEntityDeclHandler
o StartDoctypeDeclHandler takes 3 additional parameters:
sysid, pubid, has_internal_subset
o Many paired handler setters (like XML_SetElementHandler)
now have corresponding individual handler setters
o XML_GetInputContext for getting the input context of
the current parse position.
- Added reference material
- Packaged into a distribution that builds a sharable library