Expat 2.3.0 has been released
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.3.0 has been released earlier today. Simplified, this release brings…
- bugfixes,
- improvements to both build systems, and
- improvements to
xmlwf
usability.
For more details, please check out the changelog.
With this release, the combination of continuous integration and Clang's sanitizers — in Expat's case AddressSanitizer ("ASan"), LeakSanitizer ("LeakSan") and UndefinedBehaviorSanitizer ("UBSan") — proved invaluable once more by preventing the introduction of new bugs into the code base. It was interesting to see in particular, how Clang 11 found an issue that Clang 9 was still blind to; so updating the toolchain paid off.
Let me take the occasion of one bugfix in 2.3.0 related to function
XML_ParseBuffer
for a reminder that using
XML_ParseBuffer
over XML_Parse
can reduce your application's
memory footprint by up to a factor of 2, because you no longer
keep the the same data in two buffers — one outside of Expat and one inside.
With XML_ParseBuffer
those two buffers become one.
I have taken the close releases of two C libraries —
first uriparser 0.9.5 about a week ago
and now libexpat 2.3.0 —
for a reason to research answers to my own open questions about bumping linker arguments -version-info C:R:A
properly an every situation.
That led to finding a simpler, more human-friendly algorithm,
and also building a free interactive web-tool
served at https://verbump.de/ to make that topic more approachable to the community.
I still see many old, buggy, vulnerable copies of Expat on the Internet: anything unpatched before 2.2.8 is documented vulnerable, in particular. If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.3.0. Thank you!
Sebastian Pipping