https://github.com/python/cpython/commit/f48128b6b3722ee2b2cef026e9679e37bd5b2517 commit: f48128b6b3722ee2b2cef026e9679e37bd5b2517 branch: 3.13 author: Miss Islington (bot) <[email protected]> committer: serhiy-storchaka <[email protected]> date: 2025-09-30T18:14:44Z summary:
[3.13] gh-139210: Fix use-after-free in xml.etree.ElementTree.iterparse() (GH-139211) (GH-139456) (cherry picked from commit c86eb4d3ac5984efc1ea920ba643e3c4f02fdee8) Co-authored-by: Ken Jin <[email protected]> files: A Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst M Lib/test/test_xml_etree.py M Modules/_elementtree.c diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py index 12efa006cd509d..78598b35dae050 100644 --- a/Lib/test/test_xml_etree.py +++ b/Lib/test/test_xml_etree.py @@ -1750,6 +1750,8 @@ def __next__(self): def test_unknown_event(self): with self.assertRaises(ValueError): ET.XMLPullParser(events=('start', 'end', 'bogus')) + with self.assertRaisesRegex(ValueError, "unknown event 'bogus'"): + ET.XMLPullParser(events=(x.decode() for x in (b'start', b'end', b'bogus'))) @unittest.skipIf(pyexpat.version_info < (2, 6, 0), f'Expat {pyexpat.version_info} does not ' diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst new file mode 100644 index 00000000000000..1227b29a68a9d7 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-09-21-15-58-57.gh-issue-139210.HGbMvz.rst @@ -0,0 +1 @@ +Fix use-after-free when reporting unknown event in :func:`xml.etree.ElementTree.iterparse`. Patch by Ken Jin. diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c index 3926ef3ef835e1..020b7454add224 100644 --- a/Modules/_elementtree.c +++ b/Modules/_elementtree.c @@ -4180,8 +4180,8 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self, (XML_ProcessingInstructionHandler) expat_pi_handler ); } else { - Py_DECREF(events_seq); PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name); + Py_DECREF(events_seq); return NULL; } } _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
