Libexpat Project ≫ Libexpat

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.