Expat 2.6.2

Expat is a stream-oriented XML parser library written in C99. It excels with files too large to fit RAM, and where performance and flexibility are crucial. There are a number of applications, libraries and hardware using Expat, as well as bindings and 3rd-party wrappers. Expat is packaged everywhere.

Tags xml parser c c99 library
License MITL
State stable

Recent Releases

2.6.213 Mar 2024 21:36 minor bugfix: ecurity : #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers. Please see the commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 for details. : #839 #841 Reject direct parameter entity recursion and avoid the related undefined behavior. Other changes: Autotools: build for DOCBOOK_TO_MAN containing spaces Add missing #821 and #824 to 2.6.1 change log #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ for what these numbers do. Special thanks to: Philippe Antoine Tomas Korbar and Clang UndefinedBehaviorSanitizer OSS-Fuzz / ClusterFuzz.
2.6.101 Mar 2024 10:05 minor feature: : Make tests independent of CPU speed, and thus more robust #828 #836 Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0. Other changes: Hide test-only code behind new internal macro Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P Address compiler warnings #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ for what these numbers do. Infrastructure: CI: Adapt to breaking changes in clang-format Special thanks to: David Hall Snild Dolkow.
2.6.011 Feb 2024 03:55 major bugfix: Security fixes: #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. #777 CVE-2023-52426 -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat =2.4.0 (and that was CVE-2013-0340 back then). Bug fixes: #753 Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark #780 Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined #812 #813 Protect against closing entities out of order Other changes: #723 Improve support for arc4random/arc4random_buf #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse #761 #770 xmlwf: Support --help and --version #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read #744 xmlwf: Improve language and URL clickability in help output #673 examples: Add new example "element_declarations.c" #764 Be stricter about macro XML_CONTEXT_BYTES at build time #765 Make inclusion to expat_config.h consist
2.5.011 Dec 2022 15:09 security: Security fixes: #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #612 #645 Fix corruption from undefined entities #613 #654 Fix case when parsing was suspended while processing nested entities #616 #652 #653 Stop leaking opening tag bindings after a closing tag mismatch error where a parser is reset through XML_ParserReset and then reused to parse #656 CMake: Fix generation of pkg-config file #658 MinGW CMake: Fix static library name Other changes: #663 Protect header expat_config.h from multiple inclusion #666 examples: Make use of XML_GetBuffer and be more consistent across examples #648 Address compiler warnings #667 #668 Version info bumped from 9:9:8 to 9:10:8; see https://verbump.de/ for what these numbers do Special thanks to: Jann Horn Mark Brand Osyotr Rhodri James and Google Project Zero
R_2_2_928 Sep 2019 20:08 minor feature: Changelog: https://github.com/libexpat/libexpat/blob/ version/expat/Changes