Update expat to 2.2.0 to fix CVE vulnerability.

third_party/expat/files/Changes

+Release 2.2.0 Tue June 21 2016

[dominicc (has gone to gerrit), 2017/03/21 06:39:33]

Did you update third_party/expat/README.chromium pointing to where you got this
release and how you configured it?

+        Security fixes:
+            #537  CVE-2016-0718 -- Fix crash on malformed input
+                  CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
+                                   CVE-2015-2716 introduced with Expat 2.1.1
+            #499  CVE-2016-5300 -- Use more entropy for hash initialization
+                                   than the original fix to CVE-2012-0876
+            #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
+                                   that was introduced with Expat 2.1.0
+                                   when addressing CVE-2012-0876 (issue #496)
+
+        Bug fixes:
+                  Fix uninitialized reads of size 1
+                    (e.g. in little2_updatePosition)
+                  Fix detection of UTF-8 character boundaries
+
+        Other changes:
+            #532  Fix compilation for Visual Studio 2010 (keyword "C99")
+                  Autotools: Resolve use of "$<" to better support bmake
+                  Autotools: Add QA script "qa.sh" (and make target "qa")
+                  Autotools: Respect CXXFLAGS if given
+                  Autotools: Fix "make run-xmltest"
+                  Autotools: Have "make run-xmltest" check for expected output
+             p90  CMake: Fix static build (BUILD_shared=OFF) on Windows
+            #536  CMake: Add soversion, support -DNO_SONAME=yes to bypass
+            #323  CMake: Add suffix "d" to differentiate debug from release
+                  CMake: Define WIN32 with CMake on Windows
+                  Annotate memory allocators for GCC
+                  Address all currently known compile warnings
+                  Make sure that API symbols remain visible despite
+                    -fvisibility=hidden
+                  Remove executable flag from source files
+                  Resolve COMPILED_FROM_DSP in favor of WIN32
+
+        Special thanks to:
+            Björn Lindahl
+            Christian Heimes
+            Cristian Rodríguez
+            Daniel Krügler
+            Gustavo Grieco
+            Karl Waclawek
+            László Böszörményi
+            Marco Grassi
+            Pascal Cuoq
+            Sergei Nikulov
+            Thomas Beutlich
+            Warren Young
+            Yann Droneaud
+
+Release 2.1.1 Sat March 12 2016
+        Security fixes:
+            #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
+
+        Bug fixes:
+            #502: Fix potential null pointer dereference
+            #520: Symbol XML_SetHashSalt was not exported
+            Output of "xmlwf -h" was incomplete
+
+        Other changes:
+            #503: Document behavior of calling XML_SetHashSalt with salt 0
+            Minor improvements to man page xmlwf(1)
+            Improvements to the experimental CMake build system
+            libtool now invoked with --verbose
+
 Release 2.1.0 Sat March 24 2012
         - Bug Fixes:
           #1742315: Harmful XML_ParserCreateNS suggestion.
           #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
           #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
           #1983953, 2517952, 2517962, 2649838: 
                 Build modifications using autoreconf instead of buildconf.sh.
           #2815947, #2884086: OBJEXT and EXEEXT support while building.
           #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
           #2517938: xmlwf should return non-zero exit status if not well-formed.
           #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
           #2855609: Dangling positionPtr after error.
           #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
           #2958794: CVE-2012-1148 - Memory leak in poolGrow.
           #2990652: CMake support.
           #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
           #3206497: Unitialized memory returned from XML_Parse.
           #3287849: make check fails on mingw-w64.
           #3496608: CVE-2012-0876 - Hash DOS attack.
         - Patches:
           #1749198: pkg-config support.
           #3010222: Fix for bug #3010819.
           #3312568: CMake support.
           #3446384: Report byte offsets for attr names and values.
         - New Features / API changes:
-          Added new API member XML_SetHashSalt() that allows setting an intial
+          Added new API member XML_SetHashSalt() that allows setting an initial
                 value (salt) for hash calculations. This is part of the fix for
                 bug #3496608 to randomize hash parameters.
           When compiled with XML_ATTR_INFO defined, adds new API member
                 XML_GetAttributeInfo() that allows retrieving the byte
                 offsets for attribute names and values (patch #3446384).
           Added CMake build system.
                 See bug #2990652 and patch #3312568.
           Added run-benchmark target to Makefile.in - relies on testdata module
                 present in the same relative location as in the repository.
           
@@ skipping 159 matching lines @@
                 o XML_SetXmlDeclHandler
                 o XML_SetEntityDeclHandler
                 o StartDoctypeDeclHandler takes 3 additional parameters:
                         sysid, pubid, has_internal_subset
                 o Many paired handler setters (like XML_SetElementHandler)
                   now have corresponding individual handler setters
                 o XML_GetInputContext for getting the input context of
                   the current parse position.
         - Added reference material
         - Packaged into a distribution that builds a sharable library