Expat 2.6.2

Expat is a stream-oriented XML parser library written in C99. It excels with files too large to fit RAM, and where performance and flexibility are crucial. There are a number of applications, libraries and hardware using Expat, as well as bindings and 3rd-party wrappers. Expat is packaged everywhere.

Tags xml parser c c99 library
License MITL
State stable

Recent Releases

2.6.213 Mar 2024 21:36 minor bugfix: ecurity : #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers. Please see the commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 for details. : #839 #841 Reject direct parameter entity recursion and avoid the related undefined behavior. Other changes: Autotools: build for DOCBOOK_TO_MAN containing spaces Add missing #821 and #824 to 2.6.1 change log #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ for what these numbers do. Special thanks to: Philippe Antoine Tomas Korbar and Clang UndefinedBehaviorSanitizer OSS-Fuzz / ClusterFuzz.
2.6.101 Mar 2024 10:05 minor feature: : Make tests independent of CPU speed, and thus more robust #828 #836 Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0. Other changes: Hide test-only code behind new internal macro Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P Address compiler warnings #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ for what these numbers do. Infrastructure: CI: Adapt to breaking changes in clang-format Special thanks to: David Hall Snild Dolkow.
2.6.011 Feb 2024 03:55 major bugfix: Security fixes: #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. #777 CVE-2023-52426 -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat =2.4.0 (and that was CVE-2013-0340 back then). Bug fixes: #753 Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark #780 Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined #812 #813 Protect against closing entities out of order Other changes: #723 Improve support for arc4random/arc4random_buf #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse #761 #770 xmlwf: Support --help and --version #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read #744 xmlwf: Improve language and URL clickability in help output #673 examples: Add new example "element_declarations.c" #764 Be stricter about macro XML_CONTEXT_BYTES at build time #765 Make inclusion to expat_config.h consist
2.5.011 Dec 2022 15:09 security: Changelog: https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes
R_2_2_928 Sep 2019 20:08 minor feature: Changelog: https://github.com/libexpat/libexpat/blob/ version/expat/Changes