Expat 2.3.0 has been released
March 25, 2021
Submitted by Sebastian Pipping.
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.3.0 has been released earlier today. Simplified, this release brings…
- bugfixes,
- improvements to both build systems, and
- improvements to
xmlwf
usability.
For more details, please check out the changelog.
With this release, the combination of continuous integration and Clang's sanitizers — in Expat's case AddressSanitizer ("ASan"), LeakSanitizer ("LeakSan") and UndefinedBehaviorSanitizer ("UBSan") — proved invaluable once more by preventing the introduction of new bugs into the code base. It was interesting to see in particular, how Clang 11 found an issue that Clang 9 was still blind to; so updating the toolchain paid off.
Let me take the occasion of one bugfix in 2.3.0 related to function XML_ParseBuffer
for a reminder that using XML_ParseBuffer
over XML_Parse
can reduce your application's memory footprint by up to a factor of 2, because you no longer keep the the same data in two buffers — one outside of Expat and one inside. With XML_ParseBuffer
those two buffers become one.
I have taken the close releases of two C libraries — first uriparser 0.9.5 about a week ago and now libexpat 2.3.0 — for a reason to research answers to my own open questions about bumping linker arguments -version-info C:R:A
properly an every situation. That led to finding a simpler, more human-friendly algorithm, and also building a free interactive web-tool served at https://verbump.de/ to make that topic more approachable to the community.
I still see many old, buggy, vulnerable copies of Expat on the Internet: anything unpatched before 2.2.8 is documented vulnerable, in particular. If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.3.0. Thank you!
Sebastian Pipping
This article first appeared at blog.hartwork.org.