(Expat logo)

Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). An introductory article on using Expat is available on xml.com.

This project aims to maintain Expat for both current and future users while improving the API to allow more reliable and robust access from "scripting" languages such as Python and Perl. We invite the community to participate on the mailing lists to help shape the future of Expat.


21 June 2016, Expat 2.2.0 released.

Release 2.2.0 includes security & other bug fixes.

Security fixes

CVE-2016-0718 (issue 537)
Fix crash on malformed input
Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 2.1.1
CVE-2016-5300 (issue 499)
Use more entropy for hash initialization than the original fix to CVE-2012-0876
CVE-2012-6702 (issue 519)
Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)

Bug fixes

  • Fix uninitialized reads of size 1 (e.g. in little2_updatePosition)
  • Fix detection of UTF-8 character boundaries

Other changes

  • Fix compilation for Visual Studio 2010 (bug 532)
  • Autotools: Resolve use of "$<" to better support bmake
  • Autotools: Add QA script "qa.sh" (and make target "qa")
  • Autotools: Respect CXXFLAGS if given
  • Autotools: Fix "make run-xmltest"
  • Autotools: Have "make run-xmltest" check for expected output
  • CMake: Fix static build (BUILD_shared=OFF) on Windows (patch 90)
  • CMake: Add soversion, support -DNO_SONAME=yes to bypass (bug 536)
  • CMake: Add suffix "d" to differentiate debug from release (bug 323)
  • CMake: Define WIN32 with CMake on Windows
  • Annotate memory allocators for GCC
  • Address all currently known compile warnings
  • Make sure that API symbols remain visible despite -fvisibility=hidden
  • Remove executable flag from source files
  • Resolve COMPILED_FROM_DSP in favor of WIN32

Special thanks to

  • Björn Lindahl
  • Christian Heimes
  • Cristian Rodríguez
  • Daniel Krügler
  • Gustavo Grieco
  • Karl Waclawek
  • László Böszörményi
  • Marco Grassi
  • Pascal Cuoq
  • Sergei Nikulov
  • Thomas Beutlich
  • Warren Young
  • Yann Droneaud
12 March 2016, Expat 2.1.1 released.

Release 2.1.1 includes security & other bug fixes.

Security fixes

Bug fixes

  • Fix potential null pointer dereference (bug 502)
  • Symbol XML_SetHashSalt was not exported (bug 520)
  • Output of xmlwf -h was incomplete

Other changes

  • Document behavior of calling XML_SetHashSalt with salt 0 (bug 503)
  • Minor improvements to man page xmlwf(1)
  • Improvements to the experimental CMake build system
  • libtool now invoked with --verbose
24 March 2012, Expat 2.1.0 released.

Release 2.1.0 includes security & other bug fixes, new features, and updated build support.

Security fixes

New features

  • Added function XML_SetHashSalt that allows setting an initial value (salt) for hash calculations (part of the fix for bug 3496608).
  • When compiled with XML_ATTR_INFO defined, adds new API member XML_GetAttributeInfo() that allows retrieving the byte offsets for attribute names and values (patch 3446384).
  • Added CMake build system (bug 2990652, patch 3312568).
  • Added run-benchmark target to Makefile.in - relies on testdata module present in the same relative location as in the repository.

Bug fixes

  • Harmful XML_ParserCreateNS suggestion (1742315)
  • CVE-2012-1147 - Resource leak in readfilemap.c (2895533)
  • Expat build fails on linux-amd64 with gcc version>=4.1 -O3 (1785430)
  • Build modifications using autoreconf instead of buildconf.sh (1983953, 2517952, 2517962, 2649838)
  • OBJEXT and EXEEXT support while building (2815947, 2884086)
  • CVE-2009-3720 - Parser crash with special UTF-8 sequences (1990430)
  • xmlwf should return non-zero exit status if not well-formed (2517938)
  • Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml (2517946)
  • Dangling positionPtr after error (2855609)
  • CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8() (2894085)
  • CVE-2012-1148 - Memory leak in poolGrow (2958794)
  • UNEXPECTED_STATE with a trailing "%" in entity value (3010819)
  • Unitialized memory returned from XML_Parse (3206497)
  • make check fails on mingw-w64 (87849)
5 June 2007, Expat 2.0.1 released.

Release 2.0.1 of the Expat XML parser is a bugfix release resolving both code and build related issues. Changes include:

  • Fixed: The character data handler's calling of XML_StopParser() was not handled properly; if the parser was stopped and the handler set to NULL, the parser would segfault.
  • Fixed: Expat failed on EBCDIC systems as it assumed some character constants to be ASCII encoded.
  • Minor cleanups of the test harness.
  • Minor fixes for xmlwf and example programs.
  • Fixes and improvements for the Windows platform. New Windows directory structure.
  • Build fixes for various platforms: HP-UX, Tru64, Solaris 9.
  • Build fixes for Unix:
    - Refreshed config.sub/config.guess.
    - Support both, DESTDIR and INSTALL_ROOT, without relying on GNU-Make specific features.
    - Patched configure.in to work better with Intel compiler.
    - Fixes to Makefile.in to have make check work correctly.
  • Added Open Watcom support.
11 January 2006, Expat 2.0.0 released.

Release 2.0.0 of the Expat XML parser is the end point of the 1.95.X series of releases. The goal was to solidify and stabilize the implementation of the given API, to add desirable features as long as they fit with the API, and to keep the API backwards compatible if extensions were required. Changes include:

  • Fixed headers for use from C++.
  • XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() now return unsigned integers.
  • Added XML_LARGE_SIZE switch to enable 64-bit integers for byte indexes and line/column numbers.
  • Added support for AmigaOS.
  • Some mostly minor bug fixes. SF issues include: 1006708, 1021776, 1023646, 1114960, 1156398, 1221160, 1271642.

Old news archive

References & 3rd-party Wrappers

If you know of any additional articles or resources which should be linked to from this page, please send email to Fred Drake (fdrake@acm.org). We're especially interested in links to tutorial information and open source interfaces to Expat from languages other than C.

SourceForge.net Logo