Skip to content

Comments

gh-144984: Fix crash in ExternalEntityParserCreate() error paths#144992

Open
raminfp wants to merge 3 commits intopython:mainfrom
raminfp:fix-pyexpat-extentity-error-paths
Open

gh-144984: Fix crash in ExternalEntityParserCreate() error paths#144992
raminfp wants to merge 3 commits intopython:mainfrom
raminfp:fix-pyexpat-extentity-error-paths

Conversation

@raminfp
Copy link
Contributor

@raminfp raminfp commented Feb 19, 2026
edited by bedevere-app bot
Loading

Fix crash when ExternalEntityParserCreate() hits an error path
(allocation failure). Py_DECREF(new_parser) calls xmlparse_dealloc()
on a partially-initialized object where handlers is NULL, causing a
NULL pointer dereference in clear_handlers. Additionally,
Py_CLEAR(parent) in dealloc already decrements the parent's refcount,
making the subsequent Py_DECREF(self) a double-decrement.

  • Add NULL guard in clear_handlers
  • Set parent = NULL before Py_DECREF(new_parser) in each error path

@raminfp
pythongh-144984: Fix crash in ExternalEntityParserCreate() error paths
4b45e07 
When ExternalEntityParserCreate() hits an error path (allocation
failure), Py_DECREF(new_parser) triggers xmlparse_dealloc() on a
partially-initialized object:

1. handlers is NULL, so clear_handlers dereferences NULL (SEGV).
2. Py_CLEAR(parent) in dealloc already decrements the parent's
   refcount, so the explicit Py_DECREF(self) is a double-decrement.

Fix by adding a NULL guard in clear_handlers and setting parent to
NULL before Py_DECREF(new_parser) in each error path so that dealloc
does not over-decrement the parent's refcount.
@bedevere-app bedevere-app bot mentioned this pull request Feb 19, 2026
Open
picnixz
picnixz reviewed Feb 19, 2026
View reviewed changes
picnixz
picnixz reviewed Feb 19, 2026
View reviewed changes
@raminfp raminfp requested a review from picnixz February 20, 2026 04:58
picnixz
picnixz approved these changes Feb 20, 2026
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, though let's quickly ask @hartwork on that since he wrote that PR.

@picnixz picnixz added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 20, 2026
@picnixz
Copy link
Member

picnixz commented Feb 20, 2026

@hugovk What's our policy about fixing security issues? should we backport them as far as the original security fix went?

@benediktjohannes
Copy link
Contributor

benediktjohannes commented Feb 20, 2026

@picnixz very interesting question! I asked that question to myself as well one time in #144118 where it was indirectly answered because this was only backported to the versions that still recieve bug fixes and not the ones which recieve security updates, but I'm not quite sure whether this is the best solution. And maybe my comment just wasn't seen anymore, but this would at least be consistent. So if this is also backported, I suggest that #144118 should be as well.

@benediktjohannes
Copy link
Contributor

benediktjohannes commented Feb 20, 2026

I hope this helps a little bit! 👍

@benediktjohannes
Copy link
Contributor

benediktjohannes commented Feb 20, 2026

@picnixz very interesting question! I asked that question to myself as well one time in #144118 where it was indirectly answered because this was only backported to the versions that still recieve bug fixes and not the ones which recieve security updates, but I'm not quite sure whether this is the best solution. And maybe my comment just wasn't seen anymore, but this would at least be consistent. So if this is also backported, I suggest that #144118 should be as well.

"And one other question: How do we handle this concerning backports? Theoretically this is a bug fix, so it should be ported back to only a few supported versions (those recieving bug fixes and not those only recieving security updates) while this seems kind of interesting to me because the other patch (the denial of these chars) was a security update and for this reason applied backward also to those versions only getting security updates and this included this kind of "bug" and for this reason a "old version" now has a new bug through a new update which is not any more patched if we don't apply this to the ones only recieving security updates which is maybe a little bit a of a problem because those using older versions probably do this because they want them to be stable and in this case we "added a bug" / removed a feature and we won't apply it back to them. So will we also merge this to 3.10 and so on?" was my original comment on the other issue (so that you don't have to search for this)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz approved these changes

Assignees

No one assigned

Labels

awaiting merge needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raminfp @picnixz @benediktjohannes