Skip to content

gh-144984: Fix crash in ExternalEntityParserCreate() error paths#144992

Open
raminfp wants to merge 3 commits intopython:mainfrom
raminfp:fix-pyexpat-extentity-error-paths
Open

gh-144984: Fix crash in ExternalEntityParserCreate() error paths#144992
raminfp wants to merge 3 commits intopython:mainfrom
raminfp:fix-pyexpat-extentity-error-paths

Conversation

@raminfp
Copy link
Contributor

@raminfp raminfp commented Feb 19, 2026
edited by bedevere-app bot
Loading

Fix crash when ExternalEntityParserCreate() hits an error path
(allocation failure). Py_DECREF(new_parser) calls xmlparse_dealloc()
on a partially-initialized object where handlers is NULL, causing a
NULL pointer dereference in clear_handlers. Additionally,
Py_CLEAR(parent) in dealloc already decrements the parent's refcount,
making the subsequent Py_DECREF(self) a double-decrement.

  • Add NULL guard in clear_handlers
  • Set parent = NULL before Py_DECREF(new_parser) in each error path

@raminfp
pythongh-144984: Fix crash in ExternalEntityParserCreate() error paths
4b45e07 
When ExternalEntityParserCreate() hits an error path (allocation
failure), Py_DECREF(new_parser) triggers xmlparse_dealloc() on a
partially-initialized object:

1. handlers is NULL, so clear_handlers dereferences NULL (SEGV).
2. Py_CLEAR(parent) in dealloc already decrements the parent's
   refcount, so the explicit Py_DECREF(self) is a double-decrement.

Fix by adding a NULL guard in clear_handlers and setting parent to
NULL before Py_DECREF(new_parser) in each error path so that dealloc
does not over-decrement the parent's refcount.
@bedevere-app bedevere-app bot mentioned this pull request Feb 19, 2026
Open
picnixz
picnixz reviewed Feb 19, 2026
View reviewed changes
picnixz
picnixz reviewed Feb 19, 2026
View reviewed changes
@raminfp raminfp requested a review from picnixz February 20, 2026 04:58
picnixz
picnixz approved these changes Feb 20, 2026
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, though let's quickly ask @hartwork on that since he wrote that PR.

@picnixz picnixz added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 20, 2026
@picnixz
Copy link
Member

picnixz commented Feb 20, 2026

@hugovk What's our policy about fixing security issues? should we backport them as far as the original security fix went?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz approved these changes

Assignees

No one assigned

Labels

awaiting merge needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raminfp @picnixz

Comments