Expat is a stream-oriented XML parser library written in C99. It excels with files too large to fit RAM, and where performance and flexibility are crucial.
There are a number of applications, libraries and hardware using Expat, as well as bindings and 3rd-party wrappers. Expat is packaged everywhere.
Homepage
Download
Recent Releases
2.6.323 Nov 2024 06:05
minor bugfix:
Security :
#887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
len 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
#888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms.
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
#889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
#851 #879 Autotools: Sync CMake templates with CMake 3.28.
Autotools: Always provide path to find(1) for portability
Autotools: Ensure that the m4 directory always exists.
Autotools: Simplify handling of SIZEOF_VOID_P
Autotools: Support non-GNU sed
Autotools CMake: main() to main(void)
Autotools CMake: compile tests for HAVE_SYSCALL_GETRANDOM
Autotools CMake: Stop requiring dos2unix
#854 #855 CMake: check for symbols size_t and off_t.
docs tests: Convert README to Markdown and update
Windows: Drop support for Visual Studio
2.6.413 Nov 2024 23:44
major feature:
Security : CVE-2024-50602 -- crash within function XML_ResumeParser from a NULL pointer dereference by disallowing function XML_StopParser to (stop or) suspend an unstarted parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754. Other changes: CMake: Add alias target "expat::expat" docs: Document use via CMake =3.18 with FetchContent and SOURCE_SUBDIR and its consequences. tests: Reduce use of global parser instance tests: Resolve duplicate handler #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903). signedness of format strings #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do. Infrastructure: CI: Upgrade Clang from 18 to 19 CI: Drop macos-12 and add macos-15 CI: Adapt to breaking changes in GitHub Actions Add missing entries to.gitignore Special thanks to: Hanno Böck José Eduardo Gutiérrez Conejo José Ricardo Cardona Quesada.
2.6.213 Mar 2024 21:36
minor bugfix:
ecurity : #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers. Please see the commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 for details. : #839 #841 Reject direct parameter entity recursion and avoid the related undefined behavior. Other changes: Autotools: build for DOCBOOK_TO_MAN containing spaces Add missing #821 and #824 to 2.6.1 change log #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ for what these numbers do. Special thanks to: Philippe Antoine Tomas Korbar and Clang UndefinedBehaviorSanitizer OSS-Fuzz / ClusterFuzz.
2.6.101 Mar 2024 10:05
minor feature:
:
Make tests independent of CPU speed, and thus more robust
#828 #836 Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0.
Other changes:
Hide test-only code behind new internal macro
Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
Address compiler warnings
#832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do.
Infrastructure:
CI: Adapt to breaking changes in clang-format
Special thanks to:
David Hall
Snild Dolkow.
2.6.011 Feb 2024 03:55
major bugfix:
Security fixes:
#789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
#777 CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat =2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
#753 Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
#780 Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
#812 #813 Protect against closing entities out of order
Other changes:
#723 Improve support for arc4random/arc4random_buf
#771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse
#761 #770 xmlwf: Support --help and --version
#759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read
#744 xmlwf: Improve language and URL clickability in help output
#673 examples: Add new example "element_declarations.c"
#764 Be stricter about macro XML_CONTEXT_BYTES at build time
#765 Make inclusion to expat_config.h consist
2.5.011 Dec 2022 15:09
security:
Changelog: https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes
R_2_2_928 Sep 2019 20:08
minor feature:
Changelog: https://github.com/libexpat/libexpat/blob/ version/expat/Changes