Lines Matching +full:oss +full:- +full:fuzz +full:- +full:project +full:- +full:name
7 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
9 XML_ExternalEntityParserCreate in out-of-memory situations
13 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
31 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
32 (denial-of-service; flavors targeting CPU time or RAM or both,
40 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
42 - Two new API functions ..
43 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
44 - XML_SetBillionLaughsAttackProtectionActivationThreshold
47 If you ever need to increase the defaults for non-attack XML
49 - Two new XML_FEATURE_* constants ..
50 - that can be queried using the XML_GetFeatureList function, and
51 - that are shown in "xmlwf -v" output.
52 - Two new environment variable switches ..
53 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
54 - EXPAT_ENTITY_DEBUG=(0|1)
57 - Two new command line arguments "-a FACTOR" and "-b BYTES"
60 If you ever need to increase the defaults for non-attack XML
64 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
65 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
66 for UTF-16 payloads containing CDATA sections.
67 #485 #486 Autotools: Fix generated CMake files for non-64bit and
68 non-Linux platforms (e.g. macOS and MinGW in particular)
92 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
93 #477 CI: Cover well-formedness and DocBook/XHTML validity
105 Google Project Zero
109 OSS-Fuzz
120 - malformed input files (documented) and
121 - invalid command-line arguments (undocumented).
122 The case of invalid command-line arguments now
126 #439 xmlwf: Add argument -k to allow continuing after
127 non-fatal errors
128 #439 xmlwf: Add section about exit status to the -h help output
132 #382 #428 testrunner: Make verbose mode (argument "-v") report
137 #448 Document use of libexpat from a CMake-based project
173 when used with "-d DIRECTORY"
175 #383 #392 Autotools: Use -Werror while configure tests the compiler
181 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
183 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
184 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case
185 of -DEXPAT_BUILD_DOCS=OFF
187 #407 #408 CMake: Keep expat target name constant at "expat"
188 (i.e. refrain from using the target name to control
190 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
192 CMake: Expose man page compilation as target "xmlwf-manpage"
194 to control generation of pkg-config file "expat.pc"
197 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
198 default OFF to build fuzzer code against OSS-Fuzz and
200 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
224 #349 Windows: Change the name of the Windows DLLs from expat*.dll
228 case-insensitive file systems on Windows and the fact that
238 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
246 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
247 previously, only "-d DIRECTORY" would give you a proper
249 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
251 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
264 #322 Windows: Remove explicit MSVC solution and project files.
266 CMake, e.g.: cmake -G"Visual Studio 15 2017" .
267 #338 xmlwf: Make "xmlwf -h" help output more friendly
269 #244 #264 Autotools: Add argument --enable-xml-attr-info
271 --with-getrandom
272 --without-getrandom
273 --with-sys-getrandom
274 --without-sys-getrandom
276 Autotools: Fix "make run-xmltest" for out-of-source builds
279 - BUILD_doc -> EXPAT_BUILD_DOCS (plural)
280 - BUILD_examples -> EXPAT_BUILD_EXAMPLES
281 - BUILD_shared -> EXPAT_SHARED_LIBS
282 - BUILD_tests -> EXPAT_BUILD_TESTS
283 - BUILD_tools -> EXPAT_BUILD_TOOLS
284 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
285 - INSTALL -> EXPAT_ENABLE_INSTALL
286 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
287 - USE_libbsd -> EXPAT_WITH_LIBBSD
288 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
289 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
290 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
291 - XML_DTD -> EXPAT_DTD
292 - XML_NS -> EXPAT_NS
293 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
294 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
295 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
297 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
299 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
302 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
303 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
310 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
313 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
314 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
319 #308 CMake: Integrate OSS-Fuzz fuzzers, option
320 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
328 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
344 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from
348 use for denial-of-service attacks
351 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop
352 exporting non-API symbols
353 #227 Autotools: Add --without-examples and --without-tests
355 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang
356 #247 #248 Autotools: Fix compilation for lack of docbook2x-man
380 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing
384 #165 #168 Autotools: Fix docbook-related configure syntax error
385 #166 Autotools: Avoid grep option `-q` for Solaris
387 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
391 #181 Autotools: Drop -rpath option passed to libtool
399 #176 CMake: Create the same pkg-config file as with GNU Autotools
439 #106 xmlwf: Add argument -N adding notation declarations
444 Windows: Upgrade shipped project files to Visual Studio 2017
445 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
449 Windows or MinGW for 2-byte wchar_t
454 #153 #155 Improve docbook2x-man detection
472 #115 Fix copying of partial characters for UTF-8 input
475 #109 Fix "make check" for non-x86 architectures that default
476 to unsigned type char (-128..127 rather than 0..255)
477 #109 coverage.sh: Cover -funsigned-char
478 Autotools: Introduce --without-xmlwf argument
480 #43 CMake: Auto-detect high quality entropy extractors, add new
482 #74 CMake: Add -fno-strict-aliasing only where supported
484 #114 CMake: Compile man page if docbook2x-man is available, only
486 (required for "make run-xmltest")
500 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
511 #81 Pre-10.7/Lion macOS: Support entropy from arc4random
512 #86 Check that a UTF-16 encoding in an XML declaration has the
518 Ensure that user-defined character encodings have converter
520 Fix mis-leading description of argument -c in xmlwf.1
544 Unintended use of LoadLibraryW with a non-wide string
552 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
568 #72 CMake: Ease use of Expat in context of a parent project
571 #76 Address compile warning with -DNDEBUG (not recommended!)
590 CVE-2017-9233 -- External entity infinite loop DoS
591 Details: https://libexpat.github.io/doc/cve-2017-9233/
593 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
596 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
604 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
607 [MOX-005] #30 Use high quality entropy for hash initialization:
609 (when configured with --with-libbsd), CloudABI
612 In a way, that's still part of CVE-2016-5300.
614 [MOX-005] For the low quality entropy extraction fallback code,
617 [MOX-003] Prevent use of uninitialised variable; commit
618 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
621 [MOX-006] * NULL checks; commits
626 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
627 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
628 to go further with fixing CVE-2012-0876.
635 #28 xmlwf: Auto-disable use of memory-mapping (and parsing
642 found by Google's OSS-Fuzz; commits
655 of Windows; 4-byte wchar_t is common on Linux
656 (SF.net) #538 Start using -fno-strict-aliasing
658 Allow MinGW cross-compilation
664 Autotools: Add parameters --enable-xml-context [COUNT]
665 and --disable-xml-context; default of context of 1024
673 * Pre-X Mac OS (MPW Makefile)
677 #13 Fix "make run-xmltest" order instability
685 #1 Re-create http://libexpat.org/ project website
705 #537 CVE-2016-0718 -- Fix crash on malformed input
706 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
707 CVE-2015-2716 introduced with Expat 2.1.1
708 #499 CVE-2016-5300 -- Use more entropy for hash initialization
709 than the original fix to CVE-2012-0876
710 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand
712 when addressing CVE-2012-0876 (issue #496)
717 Fix detection of UTF-8 character boundaries
724 Autotools: Fix "make run-xmltest"
725 Autotools: Have "make run-xmltest" check for expected output
727 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
733 -fvisibility=hidden
754 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
759 Output of "xmlwf -h" was incomplete
765 libtool now invoked with --verbose
768 - Security fixes:
769 #2958794: CVE-2012-1148 - Memory leak in poolGrow.
770 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
771 #3496608: CVE-2012-0876 - Hash DOS attack.
772 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
773 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
774 - Bug Fixes:
776 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
780 #2517938: xmlwf should return non-zero exit status if not well-formed.
786 #3287849: make check fails on mingw-w64.
787 - Patches:
788 #1749198: pkg-config support.
792 - New Features / API changes:
801 Added run-benchmark target to Makefile.in - relies on testdata module
805 - Fixed bugs #1515266, #1515600: The character data handler's calling
808 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
810 - Minor cleanups of the test harness.
811 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
812 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
813 - Fixes and improvements for Windows platform:
815 - Build fixes for various platforms:
816 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
819 without relying on GNU-Make specific features.
821 - Fixes to Makefile.in to have make check work correctly:
823 - Added Open Watcom support: patch #1523242.
826 - We no longer use the "check" library for C unit testing; we
828 - Report XML_NS setting via XML_GetFeatureList().
829 - Fixed headers for use from C++.
830 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
832 - Added XML_LARGE_SIZE switch to enable 64-bit integers for
834 - Updated to use libtool 1.5.22 (the most recent).
835 - Added support for AmigaOS.
836 - Some mostly minor bug fixes. SF issues include: #1006708,
840 - Major new feature: suspend/resume. Handlers can now request
844 - Some mostly minor bug fixes, but compilation should no
850 - Fixed enum XML_Status issue (reported on SourceForge many
852 - Introduced an XMLCALL macro to control the calling
857 - Improved ability to build without the configure-generated
860 - Fixed a variety of bugs: see SF issues #458907, #609603,
863 - Improved hash table lookups.
864 - Added more regression tests and improved documentation.
867 - Added XML_FreeContentModel().
868 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
869 - Fixed a variety of bugs: see SF issues #615606, #616863,
871 - Enhanced the regression test suite.
872 - Man page improvements: includes SF issue #632146.
875 - Added XML_UseForeignDTD() for improved SAX2 support.
876 - Added XML_GetFeatureList().
877 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
878 - Use an incomplete struct instead of a void* for the parser
880 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
881 - Finally fixed bug where default handler would report DTD
884 - Removed unnecessary DllMain() function that caused static
886 - Added VC++ projects for building static libraries.
887 - Reduced line-length for all source code and headers to be
889 - Reduced memory copying during parsing (SF patch #600964).
890 - Fixed a variety of bugs: see SF issues #580793, #434664,
895 - Added support for VMS, contributed by Craig Berry. See
897 - Added Mac OS (classic) support, with a makefile for MPW,
899 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
901 - Fixed a variety of bugs: see SF issues #441449, #563184,
903 - Made skippedEntityHandler conform to SAX2 (see source comment)
904 - Re-implemented WFC: Entity Declared from XML 1.0 spec and
907 - Re-implemented section 5.1 from XML 1.0 spec:
911 - Added a project to the MSVC workspace to create a wchar_t
913 - Changed the name of the Windows DLLs from expat.dll to
915 - Added the XML_ParserReset() API function.
916 - Fixed XML_SetReturnNSTriplet() to work for element names.
917 - Made the XML_UNICODE builds usable (thanks, Karl!).
918 - Allow xmlwf to read from standard input.
919 - Install a man page for xmlwf on Unix systems.
920 - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
926 - More changes to make MSVC happy with the build; add a single
928 - Added a Windows installer for Windows users; includes
930 - Added compile-time constants that can be used to determine the
932 - Removed a lot of GNU-specific dependencies to aide portability
934 - Fix the UTF-8 BOM bug.
935 - Cleaned up warning messages for several compilers.
936 - Added the -Wall, -Wstrict-prototypes options for GCC.
939 - Changes to get expat to build under Microsoft compiler
940 - Removed all aborts and instead return an UNEXPECTED_STATE error.
941 - Fixed a bug where a stray '%' in an entity value would cause an
943 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
945 - Changed default patterns in lib/Makefile.in to fit non-GNU makes
948 - The reference had the wrong label for XML_SetStartNamespaceDecl.
952 - XML_ParserCreate_MM
955 - XML_SetReturnNSTriplet
958 are returned as "uri|name|prefix" where '|' is whatever
960 - Merged in features from perl-expat
971 - Added reference material
972 - Packaged into a distribution that builds a sharable library