Bundled expat version 2.6.3

[matejk]

Security fixes.

Fixes #4123.

https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes

#887 #890  CVE-2024-45490 -- Calling function XML_ParseBuffer with
                len < 0 without noticing and then calling XML_GetBuffer
                will have XML_ParseBuffer fail to recognize the problem
                and XML_GetBuffer corrupt memory.
                With the fix, XML_ParseBuffer now complains with error
                XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
                has been doing since Expat 2.2.1, and now documented.
                Impact is denial of service to potentially artitrary code
                execution.
   #888 #891  CVE-2024-45491 -- Internal function dtdCopy can have an
                integer overflow for nDefaultAtts on 32-bit platforms
                (where UINT_MAX equals SIZE_MAX).
                Impact is denial of service to potentially artitrary code
                execution.
   #889 #892  CVE-2024-45492 -- Internal function nextScaffoldPart can
                have an integer overflow for m_groupSize on 32-bit
                platforms (where UINT_MAX equals SIZE_MAX).
                Impact is denial of service to potentially artitrary code
                execution.

[obiltschnig]

Some changes seem to be missing. E.g., the version number in expat.h and expat_config.h have not been updated. Also, winconfig.h is not needed. The changes in xmlrole.c and xmltok.c are not needed.

For reference, compare the expat release with the previous one.

[matejk]

Some changes seem to be missing. E.g., the version number in expat.h and expat_config.h have not been updated. Also, winconfig.h is not needed. The changes in xmlrole.c and xmltok.c are not needed.

For reference, compare the expat release with the previous one.

I corrected all files except expat_config.h which doesn't seem to contain expat version info.

[obiltschnig]

lgtm