Import expat 2.2.8

Release 2.2.8 Fri Septemper 13 2019
Security fixes:
#317 #318 CVE-2019-15903 -- Fix heap overflow triggered by
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
and deny internal entities closing the doctype;
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43

Bug fixes:
#240 Fix cases where XML_StopParser did not have any effect
when called from inside of an end element handler
#341 xmlwf: Fix exit code for operation without "-d DIRECTORY";
previously, only "-d DIRECTORY" would give you a proper
exit code:
# xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
2
# xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
0
Now both cases return exit code 2.

Other changes:
#299 #302 Windows: Replace LoadLibrary hack to access
unofficial API function SystemFunction036 (RtlGenRandom)
by using official API function rand_s (needs WinXP+)
#325 Windows: Drop support for Visual Studio <=7.1/2003
and document supported compilers in README.md
#286 Windows: Remove COM code from xmlwf; in case it turns
out needed later, there will be a dedicated repository
below https://github.com/libexpat/ for that code
#322 Windows: Remove explicit MSVC solution and project files.
You can generate Visual Studio solution files through
CMake, e.g.: cmake -G"Visual Studio 15 2017" .
#338 xmlwf: Make "xmlwf -h" help output more friendly
#339 examples: Improve elements.c
#244 #264 Autotools: Add argument --enable-xml-attr-info
#239 #301 Autotools: Add arguments
--with-getrandom
--without-getrandom
--with-sys-getrandom
--without-sys-getrandom
#312 #343 Autotools: Fix linking issues with "./configure LD=clang"
Autotools: Fix "make run-xmltest" for out-of-source builds
#329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace
prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
- BUILD_doc -> EXPAT_BUILD_DOCS (plural)
- BUILD_examples -> EXPAT_BUILD_EXAMPLES
- BUILD_shared -> EXPAT_SHARED_LIBS
- BUILD_tests -> EXPAT_BUILD_TESTS
- BUILD_tools -> EXPAT_BUILD_TOOLS
- DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged)
- INSTALL -> EXPAT_ENABLE_INSTALL
- MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT
- USE_libbsd -> EXPAT_WITH_LIBBSD
- WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS
- XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES
- XML_DEV_URANDOM -> EXPAT_DEV_URANDOM
- XML_DTD -> EXPAT_DTD
- XML_NS -> EXPAT_NS
- XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!)
- XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!)
#244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
default OFF
#326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
default OFF
#328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
default OFF
#239 #277 CMake: Add arguments
-DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
-DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
#326 CMake: Install expat_config.h to include directory
#326 CMake: Generate and install configuration files for
future find_package(expat [..] CONFIG [..])
CMake: Now produces a summary of applied configuration
CMake: Require C++ compiler only when tests are enabled
#330 CMake: Fix compilation for 16bit character types,
i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
#265 CMake: Fix linking with MinGW
#330 CMake: Add full support for MinGW; to enable, use
-DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
#330 CMake: Port "make run-xmltest" from GNU Autotools to CMake
#316 CMake: Windows: Make binary postfix match MSVC
Old: expat[d].lib
New: expat[w][d][MD|MT].lib
CMake: Migrate files from Windows to Unix line endings
#308 CMake: Integrate OSS-Fuzz fuzzers, option
-DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
#14 Drop an OpenVMS support leftover
#235 #268 ..
#270 #310 ..
#313 #331 #333 Address compiler warnings
#282 #283 ..
#284 #285 Address cppcheck warnings
#294 #295 Address Clang Static Analyzer warnings
#24 #293 Mass-apply clang-format 9 (and ensure conformance during CI)
Version info bumped from 7:9:6 to 7:10:6

Special thanks to:
David Loffredo
Joonun Jang
Khajapasha Mohammed
Kishore Kunche
Marco Maggi
Mitch Phillips
Rolf Ade
xantares
Zhongyuan Zhou

from Changes:
Release 2.2.0 Tue June 21 2016
Security fixes:
#537 CVE-2016-0718 -- Fix crash on malformed input
CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
CVE-2015-2716 introduced with Expat 2.1.1
#499 CVE-2016-5300 -- Use more entropy for hash initialization
than the original fix to CVE-2012-0876
#519 CVE-2012-6702 -- Resolve troublesome internal call to srand
that was introduced with Expat 2.1.0
when addressing CVE-2012-0876 (issue #496)

Bug fixes:
Fix uninitialized reads of size 1
(e.g. in little2_updatePosition)
Fix detection of UTF-8 character boundaries

Other changes:
#532 Fix compilation for Visual Studio 2010 (keyword "C99")
Autotools: Resolve use of "$<" to better support bmake
Autotools: Add QA script "qa.sh" (and make target "qa")
Autotools: Respect CXXFLAGS if given
Autotools: Fix "make run-xmltest"
Autotools: Have "make run-xmltest" check for expected output
p90 CMake: Fix static build (BUILD_shared=OFF) on Windows
#536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
#323 CMake: Add suffix "d" to differentiate debug from release
CMake: Define WIN32 with CMake on Windows
Annotate memory allocators for GCC
Address all currently known compile warnings
Make sure that API symbols remain visible despite
-fvisibility=hidden
Remove executable flag from source files
Resolve COMPILED_FROM_DSP in favor of WIN32

branches: 1.1.1.3.2; 1.1.1.3.4;
Import of a new expat version. Upstream Changes:

Release 2.1.1 Sat March 12 2016
Security fixes:
#582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer

Bug fixes:
#502: Fix potential null pointer dereference
#520: Symbol XML_SetHashSalt was not exported
Output of "xmlwf -h" was incomplete

Other changes
#503: Document behavior of calling XML_SetHashSalt with salt 0
Minor improvements to man page xmlwf(1)
Improvements to the experimental CMake build system
libtool now invoked with --verbose

branches: 1.1.1.2.2; 1.1.1.2.12; 1.1.1.2.14;
import of expat 2.1.0
Fixes CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876 (other security
issues have been previously fixed in our tree)

relevant Changes:
Release 2.1.0 Sat March 24 2012
- Bug Fixes:
#1742315: Harmful XML_ParserCreateNS suggestion.
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
#1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
#1983953, 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of buildconf.sh.
#2815947, #2884086: OBJEXT and EXEEXT support while building.
#1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
#2517938: xmlwf should return non-zero exit status if not well-formed.
#2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
#2855609: Dangling positionPtr after error.
#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
#2990652: CMake support.
#3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
#3206497: Unitialized memory returned from XML_Parse.
#3287849: make check fails on mingw-w64.
#3496608: CVE-2012-0876 - Hash DOS attack.
- Patches:
#1749198: pkg-config support.
#3010222: Fix for bug #3010819.
#3312568: CMake support.
#3446384: Report byte offsets for attr names and values.
- New Features / API changes:
Added new API member XML_SetHashSalt() that allows setting an intial
value (salt) for hash calculations. This is part of the fix for
bug #3496608 to randomize hash parameters.
When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).
Added CMake build system.
See bug #2990652 and patch #3312568.
Added run-benchmark target to Makefile.in - relies on testdata module
present in the same relative location as in the repository.

branches: 1.1.1.1.2; 1.1.1.1.6; 1.1.1.1.8;
Initial import of "expat" 2.0.1 into base:
This is James Clark's expat XML parser library in C. It is a stream
oriented parser that requires setting handlers to deal with the
structure that the parser discovers in the document.

This is the first part of the fix for PR lib/40346.

from Changes:
Release 2.2.0 Tue June 21 2016
Security fixes:
#537 CVE-2016-0718 -- Fix crash on malformed input
CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
CVE-2015-2716 introduced with Expat 2.1.1
#499 CVE-2016-5300 -- Use more entropy for hash initialization
than the original fix to CVE-2012-0876
#519 CVE-2012-6702 -- Resolve troublesome internal call to srand
that was introduced with Expat 2.1.0
when addressing CVE-2012-0876 (issue #496)

Bug fixes:
Fix uninitialized reads of size 1
(e.g. in little2_updatePosition)
Fix detection of UTF-8 character boundaries

Other changes:
#532 Fix compilation for Visual Studio 2010 (keyword "C99")
Autotools: Resolve use of "$<" to better support bmake
Autotools: Add QA script "qa.sh" (and make target "qa")
Autotools: Respect CXXFLAGS if given
Autotools: Fix "make run-xmltest"
Autotools: Have "make run-xmltest" check for expected output
p90 CMake: Fix static build (BUILD_shared=OFF) on Windows
#536 CMake: Add soversion, support -DNO_SONAME=yes to bypass
#323 CMake: Add suffix "d" to differentiate debug from release
CMake: Define WIN32 with CMake on Windows
Annotate memory allocators for GCC
Address all currently known compile warnings
Make sure that API symbols remain visible despite
-fvisibility=hidden
Remove executable flag from source files
Resolve COMPILED_FROM_DSP in favor of WIN32

Import of a new expat version. Upstream Changes:

Release 2.1.1 Sat March 12 2016
Security fixes:
#582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer

Bug fixes:
#502: Fix potential null pointer dereference
#520: Symbol XML_SetHashSalt was not exported
Output of "xmlwf -h" was incomplete

Other changes
#503: Document behavior of calling XML_SetHashSalt with salt 0
Minor improvements to man page xmlwf(1)
Improvements to the experimental CMake build system
libtool now invoked with --verbose

branches: 1.1.1.2.2; 1.1.1.2.12; 1.1.1.2.14;
import of expat 2.1.0
Fixes CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876 (other security
issues have been previously fixed in our tree)

relevant Changes:
Release 2.1.0 Sat March 24 2012
- Bug Fixes:
#1742315: Harmful XML_ParserCreateNS suggestion.
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
#1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
#1983953, 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of buildconf.sh.
#2815947, #2884086: OBJEXT and EXEEXT support while building.
#1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
#2517938: xmlwf should return non-zero exit status if not well-formed.
#2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
#2855609: Dangling positionPtr after error.
#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
#2990652: CMake support.
#3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
#3206497: Unitialized memory returned from XML_Parse.
#3287849: make check fails on mingw-w64.
#3496608: CVE-2012-0876 - Hash DOS attack.
- Patches:
#1749198: pkg-config support.
#3010222: Fix for bug #3010819.
#3312568: CMake support.
#3446384: Report byte offsets for attr names and values.
- New Features / API changes:
Added new API member XML_SetHashSalt() that allows setting an intial
value (salt) for hash calculations. This is part of the fix for
bug #3496608 to randomize hash parameters.
When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).
Added CMake build system.
See bug #2990652 and patch #3312568.
Added run-benchmark target to Makefile.in - relies on testdata module
present in the same relative location as in the repository.

branches: 1.1.1.1.2; 1.1.1.1.6; 1.1.1.1.8;
Initial import of "expat" 2.0.1 into base:
This is James Clark's expat XML parser library in C. It is a stream
oriented parser that requires setting handlers to deal with the
structure that the parser discovers in the document.

This is the first part of the fix for PR lib/40346.

Import of a new expat version. Upstream Changes:

Release 2.1.1 Sat March 12 2016
Security fixes:
#582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer

Bug fixes:
#502: Fix potential null pointer dereference
#520: Symbol XML_SetHashSalt was not exported
Output of "xmlwf -h" was incomplete

Other changes
#503: Document behavior of calling XML_SetHashSalt with salt 0
Minor improvements to man page xmlwf(1)
Improvements to the experimental CMake build system
libtool now invoked with --verbose

branches: 1.1.1.2.2; 1.1.1.2.12; 1.1.1.2.14;
import of expat 2.1.0
Fixes CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876 (other security
issues have been previously fixed in our tree)

relevant Changes:
Release 2.1.0 Sat March 24 2012
- Bug Fixes:
#1742315: Harmful XML_ParserCreateNS suggestion.
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
#1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
#1983953, 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of buildconf.sh.
#2815947, #2884086: OBJEXT and EXEEXT support while building.
#1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
#2517938: xmlwf should return non-zero exit status if not well-formed.
#2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
#2855609: Dangling positionPtr after error.
#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
#2990652: CMake support.
#3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
#3206497: Unitialized memory returned from XML_Parse.
#3287849: make check fails on mingw-w64.
#3496608: CVE-2012-0876 - Hash DOS attack.
- Patches:
#1749198: pkg-config support.
#3010222: Fix for bug #3010819.
#3312568: CMake support.
#3446384: Report byte offsets for attr names and values.
- New Features / API changes:
Added new API member XML_SetHashSalt() that allows setting an intial
value (salt) for hash calculations. This is part of the fix for
bug #3496608 to randomize hash parameters.
When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).
Added CMake build system.
See bug #2990652 and patch #3312568.
Added run-benchmark target to Makefile.in - relies on testdata module
present in the same relative location as in the repository.

branches: 1.1.1.1.2; 1.1.1.1.6; 1.1.1.1.8;
Initial import of "expat" 2.0.1 into base:
This is James Clark's expat XML parser library in C. It is a stream
oriented parser that requires setting handlers to deal with the
structure that the parser discovers in the document.

This is the first part of the fix for PR lib/40346.