On Mon, Sep 12, 2016 at 05:35:15PM -0400, Leo Famulari wrote:
> This patch applies an upstream patch for a regression caused by the fix 
> for CVE-2016-0718.
> 
> Apparently, the bug only manifests when building with -DXML_UNICODE,
> which I don't think our package does.

Sebastian Pipping (the Expat maintainer) contacted me to recommend that
we apply the patch on the master branch.

He says that the faulty code path can be reached even when XML_UNICODE
is not defined. Apparently, building with -DXML_UNICODE merely makes it
easier to reach the faulty code.

I think we should take Sebastian's advice. What does everyone think?