I've been testing two versions (1.95.0 and 2.1.0) of Expat using the Radamsa fuzz testing tool (https://code.google.com/p/ouspg/wiki/Radamsa). This tool generates a ton of malformed input from a sample file. I used the XML specification as an input since it has tons of encoding edge cases.
I see a crash inside XML_ParserFree in 2.1.0 with this stacktrace:
#0 poolDestroy [inlined] () at /Users/pjl/project/test_projects/expat/expat- 2.1.0/lib/xmlparse.c:6132
6132 BLOCK *tem = p->next;
#0 poolDestroy [inlined] () at /Users/pjl/project/test_projects/expat/expat-2.1.0/lib/xmlparse.c:6132
#1 0x000000010ac03a70 in XML_ParserFree (parser=0x65646d7265742020) at xmlparse.c:1170
#2 0x000000010abf9c34 in main (argc=1702109216, argv=0x10ac45a00) at outline.c:104
The following are attached, hopefully they'll be enough to reproduce the bug:
--The XML spec used as input to Radamsa
--The shell script used to run Radamsa against the Expat example code
--The malformed XML that Radamsa produced
--The OSX binary of the Expat example code
I also have the core files but there's a little big to upload here. Ping me if you'd like them in DropBox or elsewhere.