Upgrade to expat 2.2.1

Signed-off-by: mydongistiny <jaysonedson@gmail.com>
crdroidandroid · Jul 5, 2017 · 2302f15 · 2302f15
1 parent 0beb4e3
commit 2302f15
Show file tree

Hide file tree

Showing 24 changed files with 3,993 additions and 423 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,29 @@
+# Copyright (C) 2017 Sebastian Pipping <sebastian@pipping.org>
+# Licensed under the MIT license
+
+language: cpp
+dist: trusty
+
+addons:
+  apt:
+    packages:
+      - docbook2x
+
+install:
+  - wget -O xmlts.zip https://www.w3.org/XML/Test/xmlts20080827.zip
+
+script:
+  - cd expat
+  - |
+    set -e
+    ret=0
+    for mode in \
+            address \
+            lib-coverage \
+            ; do
+        git clean -X -d -f
+        cp -v ../xmlts.zip tests/xmlts.zip
+        ./buildconf.sh
+        CFLAGS='-g -pipe' ./qa.sh ${mode} || ret=1
+    done
+    exit ${ret}
diff --git a/Changes b/Changes
@@ -1,3 +1,122 @@
+NOTE: We are looking for help with a few things:
+      https://github.com/libexpat/libexpat/labels/help%20wanted
+      If you can help, please get in touch.  Thanks!
+
+Release 2.2.1 Sat June 17 2017
+        Security fixes:
+                  CVE-2017-9233 -- External entity infinite loop DoS
+                    Details: https://libexpat.github.io/doc/cve-2017-9233/
+                    Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
+   [MOX-002]      CVE-2016-9063 -- Detect integer overflow; commit
+                    d4f735b88d9932bd5039df2335eefdd0723dbe20
+                    (Fixed version of existing downstream patches!)
+   (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
+                    longer tag names; commits
+                    * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
+                    * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
+             #16    * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
+             #25  More integer overflow detection (function poolGrow); commits
+                    * 810b74e4703dcfdd8f404e3cb177d44684775143
+                    * 44178553f3539ce69d34abee77a05e879a7982ac
+   [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; commits
+                    * 4be2cb5afcc018d996f34bbbce6374b7befad47f
+                    * 7e5b71b748491b6e459e5c9a1d090820f94544d8
+   [MOX-005] #30  Use high quality entropy for hash initialization:
+                    * arc4random_buf on BSD, systems with libbsd
+                      (when configured with --with-libbsd), CloudABI
+                    * RtlGenRandom on Windows XP / Server 2003 and later
+                    * getrandom on Linux 3.17+
+                    In a way, that's still part of CVE-2016-5300.
+                    https://github.com/libexpat/libexpat/pull/30/commits
+   [MOX-005]      For the low quality entropy extraction fallback code,
+                    the parser instance address can no longer leak, commit
+                    04ad658bd3079dd15cb60fc67087900f0ff4b083
+   [MOX-003]      Prevent use of uninitialised variable; commit
+   [MOX-004]        a4dc944f37b664a3ca7199c624a98ee37babdb4b
+                  Add missing parameter validation to public API functions
+                    and dedicated error code XML_ERROR_INVALID_ARGUMENT:
+   [MOX-006]        * NULL checks; commits
+                      * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
+                      * 9ed727064b675b7180c98cb3d4f75efba6966681
+                      * 6a747c837c50114dfa413994e07c0ba477be4534
+                    * Negative length (XML_Parse); commit
+   [MOX-002]          70db8d2538a10f4c022655d6895e4c3e78692e7f
+   [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
+                    to go further with fixing CVE-2012-0876.
+                    https://github.com/libexpat/libexpat/pull/39/commits
+
+        Bug fixes:
+             #32  Fix sharing of hash salt across parsers;
+                    relevant where XML_ExternalEntityParserCreate is called
+                    prior to XML_Parse, in particular (e.g. FBReader)
+             #28  xmlwf: Auto-disable use of memory-mapping (and parsing
+                    as a single chunk) for files larger than ~1 GB (2^30 bytes)
+                    rather than failing with error "out of memory"
+              #3  Fix double free after malloc failure in DTD code; commit
+                    7ae9c3d3af433cd4defe95234eae7dc8ed15637f
+             #17  Fix memory leak on parser error for unbound XML attribute
+                    prefix with new namespaces defined in the same tag;
+                    found by Google's OSS-Fuzz; commits
+                    * 16f87daae5a16132e479e4f71862128c7a915c73
+                    * b47dbc9745932c160893d433220e462bd605f8cd
+                  xmlwf on Windows: Add missing calls to CloseHandle
+
+        New features:
+             #30  Introduced environment switch EXPAT_ENTROPY_DEBUG=1
+                    for runtime debugging of entropy extraction
+
+        Other changes:
+                  Increase code coverage
+             #33  Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
+                    XML_UNICODE_WCHAR_T was never meant to be used outside
+                    of Windows; 4-byte wchar_t is common on Linux
+   (SF.net) #538  Start using -fno-strict-aliasing
+   (SF.net) #540  Support compilation against cloudlibc of CloudABI
+                  Allow MinGW cross-compilation
+   (SF.net) #534  CMake: Introduce option "BUILD_doc" (enabled by default)
+                    to bypass compilation of the xmlwf.1 man page
+   (SF.net)  pr2  CMake: Introduce option "INSTALL" (enabled by default)
+                    to bypass installation of expat files
+                  CMake: Fix ninja support
+                  Autotools: Add parameters --enable-xml-context [COUNT]
+                    and --disable-xml-context; default of context of 1024
+                    bytes enabled unchanged
+             #14  Drop AmigaOS 4.x code and includes
+             #14  Drop ancient build systems:
+                    * Borland C++ Builder
+                    * OpenVMS
+                    * Open Watcom
+                    * Visual Studio 6.0
+                    * Pre-X Mac OS (MPW Makefile)
+                    If you happen to rely on some of these, please get in
+                    touch for joining with maintenance.
+             #10  Move from WIN32 to _WIN32
+             #13  Fix "make run-xmltest" order instability
+                  Address compile warnings
+                  Bump version info from 7:2:6 to 7:3:6
+                  Add AUTHORS file
+
+        Infrastructure:
+              #1  Migrate from SourceForge to GitHub (except downloads):
+                    https://github.com/libexpat/
+              #1  Re-create http://libexpat.org/ project website
+                  Start utilizing Travis CI
+
+        Special thanks to:
+            Andy Wang
+            Don Lewis
+            Ed Schouten
+            Karl Waclawek
+            Pascal Cuoq
+            Rhodri James
+            Sergei Nikulov
+            Tobias Taschner
+            Viktor Szakats
+                 and
+            Core Infrastructure Initiative
+            Mozilla Foundation (MOSS Track 3: Secure Open Source)
+            Radically Open Security
+
 Release 2.2.0 Tue June 21 2016
         Security fixes:
             #537  CVE-2016-0718 -- Fix crash on malformed input
@@ -63,24 +182,25 @@ Release 2.1.1 Sat March 12 2016
             libtool now invoked with --verbose
 
 Release 2.1.0 Sat March 24 2012
+        - Security fixes:
+          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
+          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
+          #3496608: CVE-2012-0876 - Hash DOS attack.
+          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
+          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
         - Bug Fixes:
           #1742315: Harmful XML_ParserCreateNS suggestion.
-          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
           #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
           #1983953, 2517952, 2517962, 2649838: 
                 Build modifications using autoreconf instead of buildconf.sh.
           #2815947, #2884086: OBJEXT and EXEEXT support while building.
-          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
           #2517938: xmlwf should return non-zero exit status if not well-formed.
           #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
           #2855609: Dangling positionPtr after error.
-          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
-          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
           #2990652: CMake support.
           #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
           #3206497: Unitialized memory returned from XML_Parse.
           #3287849: make check fails on mingw-w64.
-          #3496608: CVE-2012-0876 - Hash DOS attack.
         - Patches:
           #1749198: pkg-config support.
           #3010222: Fix for bug #3010819.

diff --git a/NOTICE b/NOTICE
@@ -1,5 +1,5 @@
 Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper
-Copyright (c) 2001-2016 Expat maintainers
+Copyright (c) 2001-2017 Expat maintainers
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

diff --git a/doc/reference.html b/doc/reference.html
@@ -277,7 +277,7 @@ <h3>Building under Win32</h3>
 <p>If you're using the GNU compiler under cygwin, follow the Unix
 directions in the next section. Otherwise if you have Microsoft's
 Developer Studio installed, then from Windows Explorer double-click on
-"expat.dsp" in the lib directory and build and install in the usual
+"expat.vcxproj" in the lib directory and build and install in the usual
 manner.</p>
 
 <p>Alternatively, you may download the Win32 binary package that

diff --git a/examples/elements.c b/examples/elements.c
@@ -6,11 +6,7 @@
 */
 
 #include <stdio.h>
-#include "expat.h"
-
-#if defined(__amigaos__) && defined(__USE_INLINE__)
-#include <proto/expat.h>
-#endif
+#include <expat.h>
 
 #ifdef XML_LARGE_SIZE
 #if defined(XML_USE_MSC_EXTENSIONS) && _MSC_VER < 1400

diff --git a/examples/outline.c b/examples/outline.c
@@ -25,10 +25,6 @@
 #include <stdio.h>
 #include <expat.h>
 
-#if defined(__amigaos__) && defined(__USE_INLINE__)
-#include <proto/expat.h>
-#endif
-
 #ifdef XML_LARGE_SIZE
 #if defined(XML_USE_MSC_EXTENSIONS) && _MSC_VER < 1400
 #define XML_FMT_INT_MOD "I64"

diff --git a/expat/AUTHORS b/expat/AUTHORS
@@ -0,0 +1,10 @@
+Expat is brought to you by:
+
+Clark Cooper
+Fred L. Drake, Jr.
+Greg Stein
+James Clark
+Karl Waclawek
+Rhodri James
+Sebastian Pipping
+Steven Solie