A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor